The payload in vulnparam is "id) && (echo" where id is the command output displayed to the screen and the echo part was to essentially eliminate the rest of the command that the web application intended to run but the actual command injection is outside the scope of this post. Injecting id confirms I'm running as www-data. While enumerating the system for privilege escalation I decided to run "sudo -l" to list the commands www-data was allowed to sudo and discovered something interesting.
Date seemed like something worth exploring. The man pages instantly revealed something promising.
What happens if I set the file parameter to something that doesn't contain dates? Well, nothing at first because the output goes to standard error, haha. But, once I realized that and directed standard error to standard output with the following payload "sudo date -f /etc/shadow 2>&1) && (echo", I hit pay dirt!
Since this was a web application on an Internet of Things (IoT) device, reading /etc/wpa_supplicant/wpa_supplicant.conf for the cleartext WiFi password would be beneficial. If you had root privileges on date on a more traditional engagement, you could use it for acquiring hashes or to read SSH private keys.
I thought this was an interesting step towards privilege escalation and worth sharing. At the very least, it might be useful for a CTF...
Go forth and reign shells!
Good to know! I'll add this to the list!
ReplyDeleteThe website is looking bit flashy and it catches the visitors eyes. Design is pretty simple and a good user friendly interface. recover lost bitcoins
ReplyDeleteThank you for some other informative website. The place else may just I get that kind of information written in such a perfect method? I have a venture that I am simply now running on, and I’ve been at the glance out for such info. instagram likes gradual
ReplyDeleteI’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... Best Forex Signal Service
ReplyDeleteI’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... pocket Option Forex
ReplyDeleteI really like you words and appreciate your article post. Really Cool please keep writing.
ReplyDeletehitachi 1.5 ton 3 star split inverter ac
I recently found many useful information in your website especially this blog page. Among the lots of comments on your articles. Thanks for sharing. Social Trading with Binary options
ReplyDeleteI know your expertise on this. I must say we should have an online discussion on this. Writing only comments will close the discussion straight away! And will restrict the benefits from this information. Best Binary Options Strategy Download
ReplyDeleteI found your this post while searching for some related information on blog search...Its a good post..keep posting and update the information. Quotex Binary Options Broker
ReplyDeletePretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog posts. Any way I'll be subscribing to your feed and I hope you post again soon. Big thanks for the useful info. Best Trading Signals for Free
ReplyDeleteUseful information ..I am very happy to read this article. .thanks for giving us this useful information. Fantastic walk-through. I appreciate this post. Ea builder discount
ReplyDeleteBlogs on technology helps you stay updated in terms of the latest technology news, launch of gadgets, and many more. Subscribe to technology blogs and use information for your personal or professional use. http://access-control-singapore.jigsy.com/
ReplyDeleteThanks for posting this info. I just want to let you know that I just check out your site and I find it very interesting and informative. I can't wait to read lots of your posts. access control system singapore
ReplyDeleteCasino Junket (2021) - DrmCD
ReplyDeleteFind and compare the 나주 출장안마 Casino 부천 출장마사지 Junket (2021) reviews and ratings to see it. The casino 목포 출장마사지 is owned by the same owners 포천 출장샵 as the casino's 속초 출장샵 other online
Casino no deposit bonus - DrmCD
ReplyDeleteFree No Deposit Bonus · Casino no deposit bonus code 공주 출장마사지 · 경상남도 출장마사지 Deposit 보령 출장안마 bonus code. · New Casino no deposit bonus · 진주 출장샵 Deposit casino bonus code. · Deposit bonus code. 창원 출장샵
I’m going to read this. I’ll be sure to come back. thanks for sharing. and also This article gives the light in which we can observe the reality. this is very nice one and gives indepth information. thanks for this nice article... binary trading
ReplyDeleteAwesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post. best options signals
ReplyDeleteAwesome and interesting article. Great things you've always shared with us. Thanks. Just continue composing this kind of post. biometric access control system
ReplyDelete