Priv Escalation

rbash escape | rbash restricted shell escape -HackNos

In order to escape Rbash I had to use the following ssh command.

ssh mindy@10.10.10.51 -t "bash --noprofile"

Once I transferred linpeas. The script identified numerous vectors.

1. PwnKit

Upon transfer of the PwnKit Binary, I was able to run the 32 version of the binary and get root access to the machine.

ROOT!

1. Other user: James

1. Internal Server

4. SUID binaries

Internal Processes

According to PSpy

There was a process that would run a couple times after being called as a cron job.

As we can see the commands running, we see that the cron job command runs then this tmp.py python scripts that chains the command below.

This is important because this python script is actually running as root and thus we can manipulate it to get a reverse shell.

I transferred my python reverse shell client to the machine which specified our attacker IP. I replaced the tmp.py with the command cat.

cat client.py > /opt/tmp.py

Once I waited a couple of minutes I got a reverse shell on my listener.