teaParty
Checking the home directory of the rabbit user after making the lateral movement
rabbit@wonderland:/home/rabbit$ ll
total 40K
4.0K drwxr-x--- 2 rabbit rabbit 4.0K May 25 2020 .
20K -rwsr-sr-x 1 root root 17K May 25 2020 teaParty
0 lrwxrwxrwx 1 root root 9 May 25 2020 .bash_history -> /dev/null
4.0K drwxr-xr-x 6 root root 4.0K May 25 2020 ..
4.0K -rw-r--r-- 1 rabbit rabbit 220 May 25 2020 .bash_logout
4.0K -rw-r--r-- 1 rabbit rabbit 3.7K May 25 2020 .bashrc
4.0K -rw-r--r-- 1 rabbit rabbit 807 May 25 2020 .profileThere is a SUID binary; teaParty
rabbit@wonderland:/home/rabbit$ ./teaParty
Welcome to the tea party!
The Mad Hatter will be here soon.
Probably by Wed, 28 Aug 2024 16:22:32 +0000
Ask very nicely, and I will give you some tea while you wait for him
a
Segmentation fault (core dumped)Executing the binary. Providing any user input results in segmentation fault
Checking the PSPY log reveals the inner working of the binary
The echo binary is invoked with its absolute path, whereas date is called without its absolute path.
It might be vulnerable to Path Hijacking attack