briand
Checking for sudo privileges of the briand user after making the lateral movement
briand@onlyrands:~$ sudo -l
Matching Defaults entries for briand on onlyrands:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User briand may run the following commands on onlyrands:
(root) NOPASSWD: /usr/bin/systemctl status teamcity-server.serviceThe briand user is able to execute the /usr/bin/systemctl status teamcity-server.service command as the root account without getting prompted for password
systemctl
/Practice/Scrutiny/4-Post_Enumeration/attachments/{B6ED6C95-B26E-45E9-B5E4-7A8D0D8E7A31}.png)
While the sudo command appears innocent, the systemctl binary uses less as a default pager
This would mean that the current sudo privileges extends to executing the less binary
/Practice/Scrutiny/4-Post_Enumeration/attachments/{25C0D000-2661-402B-BF1D-0F7CBEA7DDF8}.png)
/Practice/Scrutiny/4-Post_Enumeration/attachments/{2C48169C-20A2-47A0-A18C-430E04DF80F9}.png)
and that’s well explained in GTFObins
Moving on to the privilege escalation phase