skunk
Checking for sudo privileges of the skunk user after making the lateral movement
skunk@debian:~$ sudo -l
Matching Defaults entries for skunk on debian:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User skunk may run the following commands on debian:
(ALL : ALL) ALL
(root) NOPASSWD: /usr/bin/composer --working-dir\=/var/www/html/lavita *
skunk@debian:~$ id
uid=1001(skunk) gid=1001(skunk) groups=1001(skunk),27(sudo),33(www-data)- The
skunkuser is part of thesudogroup. The user is essentially therootaccount.- However, it would prompt for password, and password of the
skunkuser is not known at this time.
- However, it would prompt for password, and password of the
- Additionally, the user is able to execute the
/usr/bin/composer --working-dir\=/var/www/html/lavita *command as therootaccount without getting prompted for password
Composer
/Practice/LaVita/4-Post_Enumeration/attachments/{C04D59E8-B6D9-4E6A-A63A-7F761354AE4C}.png)
According to GTFObins, composer can be abused for privilege escalation
Moving on to the Privilege Escalation phase