InfoSec LAB

SPX_sudo_privileges_profiler

Created: 3 min read

profiler

Checking for sudo privileges of the profiler user after making the lateral movement

profiler@spx:~$ sudo
[sudo] password for profiler: lowprofile
 
Matching Defaults entries for profiler on spx:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty
 
User profiler may run the following commands on spx:
    (ALL) /usr/bin/make install -C /home/profiler/php-spx

The profiler user is able to execute the /usr/bin/make install -C /home/profiler/php-spx command as anyone

/home/profiler/php-spx

profiler@spx:~$ ll /home/profiler/php-spx
total 1168
drwxr-xr-x 12 profiler profiler   4096 Sep 12  2024 ./
drwxr-x---  4 profiler profiler   4096 Apr  8 15:26 ../
drwxr-xr-x  3 profiler profiler   4096 Sep 12  2024 assets/
drwxr-xr-x  2 profiler profiler   4096 Sep 12  2024 autom4te.cache/
drwxr-xr-x  2 profiler profiler   4096 Sep 12  2024 build/
-rw-r--r--  1 profiler profiler   4761 Sep 12  2024 CHANGELOG.md
-rw-r--r--  1 profiler profiler   1909 Sep 12  2024 config.h
-rw-r--r--  1 profiler profiler   1801 Sep 12  2024 config.h.in
-rw-r--r--  1 profiler profiler  22356 Sep 12  2024 config.log
-rw-r--r--  1 profiler profiler   2869 Sep 12  2024 config.m4
-rwxr-xr-x  1 profiler profiler     70 Sep 12  2024 config.nice*
-rwxr-xr-x  1 profiler profiler  45353 Sep 12  2024 config.status*
-rwxr-xr-x  1 profiler profiler 436459 Sep 12  2024 configure*
-rw-r--r--  1 profiler profiler   5431 Sep 12  2024 configure.ac
-rw-r--r--  1 profiler profiler    288 Sep 12  2024 CONTRIBUTING.md
-rw-r--r--  1 profiler profiler      0 Sep 12  2024 EXPERIMENTAL
drwxr-xr-x  8 profiler profiler   4096 Sep 12  2024 .git/
drwxr-xr-x  3 profiler profiler   4096 Sep 12  2024 .github/
-rw-r--r--  1 profiler profiler    365 Sep 12  2024 .gitignore
drwxr-xr-x  2 profiler profiler   4096 Sep 12  2024 include/
drwxr-xr-x  2 profiler profiler   4096 Sep 12  2024 .libs/
-rwxr-xr-x  1 profiler profiler 342367 Sep 12  2024 libtool*
-rw-r--r--  1 profiler profiler  35149 Sep 12  2024 LICENSE
-rw-r--r--  1 profiler profiler  14798 Sep 12  2024 Makefile
-rw-r--r--  1 profiler profiler    363 Sep 12  2024 Makefile.frag
-rw-r--r--  1 profiler profiler    363 Sep 12  2024 Makefile.fragments
-rw-r--r--  1 profiler profiler   6001 Sep 12  2024 Makefile.objects
drwxr-xr-x  2 profiler profiler   4096 Sep 12  2024 modules/
-rw-r--r--  1 profiler profiler  30341 Sep 12  2024 README.md
-rw-r--r--  1 profiler profiler 139754 Sep 12  2024 run-tests.php
-rw-r--r--  1 profiler profiler    911 Sep 12  2024 spx.la
drwxr-xr-x  3 profiler profiler   4096 Sep 12  2024 src/
drwxr-xr-x  2 profiler profiler   4096 Sep 12  2024 tests/

The /home/profiler/php-spx directory is owned and under the complete control the current user; profiler This would mean that I could alter the Makefile file to get code executed as the root account Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks