jack
Checking for sudo privileges of the jack user after making the lateral movement
jack@BitForge:~$ sudo -l
Matching Defaults entries for jack on bitforge:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty,
!env_reset
User jack may run the following commands on bitforge:
(root) NOPASSWD: /usr/bin/flask_password_changerThe jack user is able to execute the /usr/bin/flask_password_changer command as the root user without getting prompted for password
/usr/bin/flask_password_changer
jack@BitForge:~$ cat /usr/bin/flask_password_changer
#!/bin/bash
cd /opt/password_change_app
/usr/local/bin/flask run --host 127.0.0.1 --port 9000 --no-debug
jack@BitForge:~$ ll /usr/bin/flask_password_changer
-rwxr-xr-x 1 root root 106 Jan 16 14:42 /usr/bin/flask_password_changer*The /usr/bin/flask_password_changer file is a Bash script that starts a Flask application on the 127.0.0.1:9000 network socket at the /opt/password_change_app directory.
It’s also owned by the root user and cannot be modified by anyone
/opt/password_change_app
jack@BitForge:~$ ll /opt/password_change_app
total 16
drwxr-xr-x 3 jack jack 4096 Jan 16 13:21 ./
drwxr-xr-x 4 root root 4096 Jan 16 13:21 ../
-rw-r--r-- 1 jack jack 134 Jan 16 13:21 app.py
drwxr-xr-x 2 jack jack 4096 Jan 16 13:21 templates/However the jack user has a complete control over the /opt/password_change_app directory, including the app.py file
/opt/password_change_app/app.py
jack@BitForge:~$ cat /opt/password_change_app/app.py
from flask import Flask, render_template
app = Flask(__name__)
@app.route("/")
def home():
return render_template("index.html")This is a privilege escalation vector since the jack user is able to overwrite to the /opt/password_change_app/app.py file