developer
Checking for sudo privileges of the developer user after making the lateral movement
developer@updown:~$ sudo -l
matching defaults entries for developer on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
user developer may run the following commands on localhost:
(all) nopasswd: /usr/local/bin/easy_installThe developer user is able to execute the /usr/local/bin/easy_install command as the root user without getting prompted for password
easy_install
developer@updown:~$ file /usr/local/bin/easy_install
/usr/local/bin/easy_install: Python script, ASCII text executable
developer@updown:~$ ll /usr/local/bin/easy_install
-rwxr-xr-x 1 root root 229 Aug 1 2022 /usr/local/bin/easy_install*
developer@updown:~$ cat /usr/local/bin/easy_install
#!/usr/bin/python
# -*- coding: utf-8 -*-
import re
import sys
from setuptools.command.easy_install import main
if __name__ == '__main__':
sys.argv[0] = re.sub(r'(-script\.pyw|\.exe)?$', '', sys.argv[0])
sys.exit(main())easy_install is a command-line tool that was part of the setuptools package in Python 2. It was designed to simplify the process of installing, managing, and distributing Python packages. easy_install in Python 2 lacked robust security features, leading to concerns over potential integrity compromises during package downloads. Users criticized its absence of default SSL/TLS, exposing installations to possible man-in-the-middle attacks. Arbitrary code execution during installation posed security risks, especially when dealing with untrusted packages. The tool’s deprecated status and lack of ongoing support left security vulnerabilities unaddressed. Modern package managers like pip replaced easy_install, in favor of improved security features, better integrity verification, and continued community support.
As showcased in GTFOBins, it could be abused in so many difference ways
That includes the sudo exploitation as well
Moving on to Privilege Escalation phase