The payload in vulnparam is "id) && (echo" where id is the command output displayed to the screen and the echo part was to essentially eliminate the rest of the command that the web application intended to run but the actual command injection is outside the scope of this post. Injecting id confirms I'm running as www-data. While enumerating the system for privilege escalation I decided to run "sudo -l" to list the commands www-data was allowed to sudo and discovered something interesting.
Date seemed like something worth exploring. The man pages instantly revealed something promising.
What happens if I set the file parameter to something that doesn't contain dates? Well, nothing at first because the output goes to standard error, haha. But, once I realized that and directed standard error to standard output with the following payload "sudo date -f /etc/shadow 2>&1) && (echo", I hit pay dirt!
Since this was a web application on an Internet of Things (IoT) device, reading /etc/wpa_supplicant/wpa_supplicant.conf for the cleartext WiFi password would be beneficial. If you had root privileges on date on a more traditional engagement, you could use it for acquiring hashes or to read SSH private keys.
I thought this was an interesting step towards privilege escalation and worth sharing. At the very least, it might be useful for a CTF...
Go forth and reign shells!
Good to know! I'll add this to the list!
ReplyDelete