cassie
Checking for sudo privileges of the cassie user after making the lateral movement
cassie@clue:~$ sudo -l
Matching Defaults entries for cassie on clue:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User cassie may run the following commands on clue:
(ALL) NOPASSWD: /usr/local/bin/cassandra-webThe cassie user is able to execute the /usr/local/bin/cassandra-web command as anyone without getting prompted for password
We have already established that the target’s cassandra-web instance is vulnerable to remote file read.
If I could start an instance as the root account, I should be able to read any file on the target system by leveraging the vulnerability