dev-datasci
Checking for sudo privileges of the dev-datasci user after performing a manual enumeration of the WSL environment on the DEV-DATASCI-JUP(10.10.232.68) host. The user has a group membership to the sudo group, which was also flagged by PEAS.
(base) dev-datasci@DEV-DATASCI-JUP:/dev/shm$ sudo -l
Matching Defaults entries for dev-datasci on DEV-DATASCI-JUP:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User dev-datasci may run the following commands on DEV-DATASCI-JUP:
(ALL : ALL) ALL
(ALL) NOPASSWD: /home/dev-datasci/.local/bin/jupyter, /bin/su dev-datasci
-c *The dev-datasci user is able to execute the following 3 sudo-privileged commands;
(ALL : ALL) ALL/home/dev-datasci/.local/bin/jupyter- without password
/bin/su dev-datasci -c *- without password
While the first sudo command prompts for password, the 2nd and 3rd ones don’t. The 3rd one is rather limited, but the 2nd could be exploited.
/home/dev-datasci/.local/bin/jupyter
(base) dev-datasci@DEV-DATASCI-JUP:~/datasci-team$ ll /home/dev-datasci/.local/bin/jupyter
ls: cannot access '/home/dev-datasci/.local/bin/jupyter': No such file or directory/home/dev-datasci/.local/bin/jupyter does not exist and it’s located in the home directory of the current user; dev-datasci
Privilege escalation is possible by creating an arbitrary file.