InfoSec LAB

I decided to check for sudo privileges of the current user after running some basic enumeration. This mostly doesn’t work for wwww-data as it is a service account for web server. Nobody really configures sudoers for such account

www-data

$ matching defaults entries for www-data on tartarsauce:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
 
user www-data may run the following commands on tartarsauce:
    (onuma) nopasswd: /bin/tar

Apparently, the www-data user is able to execute /bin/tar as the onuma user without getting prompted for password

tar

Tar is vulnerable to the sudo privilege escalation method In this context, it can be used to elevate the privilege to the onuma user

InfoSec LAB

Explorer

TartarSauce_Sudo_Privileges

www-data

tar

Interactive Graph View

Table of Contents

Backlinks