apache
Checking for sudo privileges of the apache user after completing a manual enumeration
bash-4.2$ sudo -l
Matching Defaults entries for apache on megavolt:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User apache may run the following commands on megavolt:
(ALL) NOPASSWD: /usr/bin/tee /var/log/httpd/*The user is able to execute /usr/bin/tee /var/log/httpd/* without getting prompted for password
The wildcard bit, *, could be abused for Privilege Escalation