Priv Esc | OffSec Proving Grounds

Last updated 4 months ago

clumsyadmin@xposedapi:/home/clumsyadmin$ find / -type f -perm -04000 -ls 2>/dev/null <yadmin$ find / -type f -perm -04000 -ls 2>/dev/null 273373 52 -rwsr-xr-- 1 root messagebus 51184 Jul 5 2020 /usr/lib/dbus-1.0/dbus-daemon-launch-helper 276719 428 -rwsr-xr-x 1 root root 436552 Jan 31 2020 /usr/lib/openssh/ssh-keysign 398815 12 -rwsr-xr-x 1 root root 10232 Mar 28 2017 /usr/lib/eject/dmcrypt-get-device 266035 52 -rwsr-xr-x 1 root root 51280 Jan 10 2019 /usr/bin/mount 262183 64 -rwsr-xr-x 1 root root 63736 Jul 27 2018 /usr/bin/passwd 265710 64 -rwsr-xr-x 1 root root 63568 Jan 10 2019 /usr/bin/su 276984 456 -rwsr-xr-x 1 root root 466496 Apr 5 2019 /usr/bin/wget 282583 36 -rwsr-xr-x 1 root root 34896 Apr 22 2020 /usr/bin/fusermount 266037 36 -rwsr-xr-x 1 root root 34888 Jan 10 2019 /usr/bin/umount 262179 56 -rwsr-xr-x 1 root root 54096 Jul 27 2018 /usr/bin/chfn 262180 44 -rwsr-xr-x 1 root root 44528 Jul 27 2018 /usr/bin/chsh 265563 44 -rwsr-xr-x 1 root root 44440 Jul 27 2018 /usr/bin/newgrp 272436 156 -rwsr-xr-x 1 root root 157192 Jan 20 2021 /usr/bin/sudo 262182 84 -rwsr-xr-x 1 root root 84016 Jul 27 2018 /usr/bin/gpasswd

bash-5.0# whoami && cat /root/proof.txt && ip addr whoami && cat /root/proof.txt && ip addr root a2ac32aa193d0d7634ea5742e51ce05c 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 00:50:56:bf:e3:d5 brd ff:ff:ff:ff:ff:ff inet 192.168.214.134/24 brd 192.168.214.255 scope global ens192 valid_lft forever preferred_lft forever