InfoSec LAB

Walla_sudo_privileges_www-data

Created: 4 min read

www-data

Checking for sudo privileges of the www-data account after performing a manual system enumeration

www-data@walla:/var/www/html$ sudo -l
Matching Defaults entries for www-data on walla:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
User www-data may run the following commands on walla:
    (ALL) NOPASSWD: /sbin/ifup
    (ALL) NOPASSWD: /usr/bin/python /home/walter/wifi_reset.py
    (ALL) NOPASSWD: /bin/systemctl start hostapd.service
    (ALL) NOPASSWD: /bin/systemctl stop hostapd.service
    (ALL) NOPASSWD: /bin/systemctl start dnsmasq.service
    (ALL) NOPASSWD: /bin/systemctl stop dnsmasq.service
    (ALL) NOPASSWD: /bin/systemctl restart dnsmasq.service

Several privileged commands are granted to the www-data accounts

hostapd.service

www-data@walla:/var/www/html$ systemctl status hostapd.service
systemctl status hostapd.service
 hostapd.service - Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
   Loaded: loaded (/lib/systemd/system/hostapd.service; enabled; vendor preset: enabled)
   Active: activating (auto-restart) (Result: exit-code) since Thu 2025-03-27 11:52:42 EDT; 57ms ago
  Process: 22181 ExecStart=/usr/sbin/hostapd -B -P /run/hostapd.pid -B $DAEMON_OPTS ${DAEMON_CONF} (code=exited, status=1/FAILURE)

Loaded, enabled and running /lib/systemd/system/hostapd.service

www-data@walla:/var/www/html$ cat /lib/systemd/system/hostapd.service
[Unit]
Description=Advanced IEEE 802.11 AP and IEEE 802.1X/WPA/WPA2/EAP Authenticator
After=network.target
 
[Service]
Type=forking
PIDFile=/run/hostapd.pid
Restart=on-failure
RestartSec=2
Environment=DAEMON_CONF=/etc/hostapd/hostapd.conf
EnvironmentFile=-/etc/default/hostapd
ExecStart=/usr/sbin/hostapd -B -P /run/hostapd.pid -B $DAEMON_OPTS ${DAEMON_CONF}
 
[Install]
WantedBy=multi-user.target
 
www-data@walla:/var/www/html$ ll /lib/systemd/system/hostapd.service
4.0K -rw-r--r-- 1 root root 396 Mar 24  2020 /lib/systemd/system/hostapd.service

The /lib/systemd/system/hostapd.service file cannot be altered by the www-data account /etc/hostapd/hostapd.conf is the configuration file

/etc/hostapd/hostapd.conf

www-data@walla:/var/www/html$ cat /etc/hostapd/hostapd.conf
driver=nl80211
ctrl_interface=/var/run/hostapd
ctrl_interface_group=0
beacon_int=100
auth_algs=1
wpa_key_mgmt=WPA-PSK
ssid=raspi-webgui
channel=1
hw_mode=g
wpa_passphrase=ChangeMe
interface=wlan0
wpa=2
wpa_pairwise=CCMP
country_code=
## Rapberry Pi 3 specific to on board WLAN/WiFi
#ieee80211n=1 # 802.11n support (Raspberry Pi 3)
#wmm_enabled=1 # QoS support (Raspberry Pi 3)
#ht_capab=[HT40][SHORT-GI-20][DSSS_CCK-40] # (Raspberry Pi 3)
 
## RaspAP wireless client AP mode
#interface=uap0
 
## RaspAP bridge AP mode (disabled by default)
#bridge=br0
 
www-data@walla:/var/www/html$ ll /etc/hostapd/hostapd.conf
4.0K -rw-r--r-- 1 root root 550 Sep 17  2020 /etc/hostapd/hostapd.conf

the /etc/hostapd/hostapd.conf file cannot be altered by the www-data account

dnsmasq.service

www-data@walla:/var/www/html$ systemctl status dnsmasq.service
systemctl status dnsmasq.service
 dnsmasq.service - dnsmasq - A lightweight DHCP and caching DNS server
   Loaded: loaded (/lib/systemd/system/dnsmasq.service; enabled; vendor preset: enabled)
   Active: active (running) since Fri 2024-08-02 17:20:33 EDT; 7 months 23 days ago
  Process: 1143 ExecStartPre=/usr/sbin/dnsmasq --test (code=exited, status=0/SUCCESS)
  Process: 1144 ExecStart=/etc/init.d/dnsmasq systemd-exec (code=exited, status=0/SUCCESS)
  Process: 1154 ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf (code=exited, status=0/SUCCESS)
 Main PID: 1153 (dnsmasq)
    Tasks: 1 (limit: 2358)
   Memory: 1.0M
   CGroup: /system.slice/dnsmasq.service
           └─1153 /usr/sbin/dnsmasq -x /run/dnsmasq/dnsmasq.pid -u dnsmasq -r /run/dnsmasq/resolv.conf -7 /etc/dnsmasq.d,.dpkg-dist,.dpkg-old,.dpkg-new --local-service --trust-anchor=.,20326,8,2,e06d44b80b8f1d39a95c0b0d7c65d08458e880409bbc683457104237c7f8ec8d

Loaded, enabled and running /lib/systemd/system/dnsmasq.service

www-data@walla:/var/www/html$ cat /lib/systemd/system/dnsmasq.service
[Unit]
Description=dnsmasq - A lightweight DHCP and caching DNS server
Requires=network.target
Wants=nss-lookup.target
Before=nss-lookup.target
After=network.target
 
[Service]
Type=forking
PIDFile=/run/dnsmasq/dnsmasq.pid
 
# Test the config file and refuse starting if it is not valid.
ExecStartPre=/usr/sbin/dnsmasq --test
 
# We run dnsmasq via the /etc/init.d/dnsmasq script which acts as a
# wrapper picking up extra configuration files and then execs dnsmasq
# itself, when called with the "systemd-exec" function.
ExecStart=/etc/init.d/dnsmasq systemd-exec
 
# The systemd-*-resolvconf functions configure (and deconfigure)
# resolvconf to work with the dnsmasq DNS server. They're called like
# this to get correct error handling (ie don't start-resolvconf if the 
# dnsmasq daemon fails to start.
ExecStartPost=/etc/init.d/dnsmasq systemd-start-resolvconf
ExecStop=/etc/init.d/dnsmasq systemd-stop-resolvconf
 
 
ExecReload=/bin/kill -HUP $MAINPID
 
[Install]
WantedBy=multi-user.target
 
www-data@walla:/var/www/html$ ll /lib/systemd/system/dnsmasq.service
4.0K -rw-r--r-- 1 root root 990 Sep 17  2018 /lib/systemd/system/dnsmasq.service

The /lib/systemd/system/dnsmasq.service file cannot be altered by the www-data account

/home/walter/wifi_reset.py

www-data@walla:/var/www/html$ cat /home/walter/wifi_reset.py
#!/usr/bin/python
 
import sys
 
try:
	import wificontroller
except Exception:
	print "[!] ERROR: Unable to load wificontroller module."
	sys.exit()
 
wificontroller.stop("wlan0", "1")
wificontroller.reset("wlan0", "1")
wificotroller.start("wlan0", "1")
 
 
www-data@walla:/var/www/html$ ll /home/walter/wifi_reset.py
4.0K -rw-r--r-- 1 root root 251 Sep 17  2020 /home/walter/wifi_reset.py

The /home/walter/wifi_reset.py file is a Python script that uses the wificontroller module to restart the wlan0 interface While the www-data user does not have write access to the Python script, it may be possible to hijack the wificontroller module It’s not possible because there is the secure_path variable set, preventing the PYTHONPATH variable from being altered

Walter’s Home

Interestingly, the www-data user has ownership to the home directory of the walter user This would essentially mean that I could alter whatever is present in the home directory of the walter user, including the Python script Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks