2 interesting vulnerabilities related to bash scripts and other related technologies. Discusses using binaries without specifying full path and Arithmetic Expansion Abuse
In this machine, we perform asynchronous data transfer to discover a hidden subdomain. The website on this subdomain is vulnerable to a local file inclusion vulnerability. We can immediately pop a shell as www-data or retrieve the id_rsa key of user michael. Michael is part of the security group, who has sudo access to fail2ban start. Leveraging GTFObins, we can escalate privileges to root.
In this Linux machine, we fuzz the web server to find a mattermost vhost. However, the credentials has to be exfiltrated from the default host via SQL Injection (It was a pretty hard SQL Injection). We can use these credentials to log into mattermost and get another set of credentials to login via SSH. Once inside, we notice that we can run a password manager as sudo. A simple reverse engineering with xxd yields the password. We can then use these creds to login as user who is part of docker group.
In this machine, we gain initial access by coercing authentication from a machine with an ico file. Then, we find that the version of Windows running is vulnerable to PrintNightmare. We can immediately escalate privileges as SYSTEM.
First, we discover an open NFS share. The share contains .sdf files which contains the password hahses. We can crack on of them and log into the Umbraco webssite. This version of Umbraco is vulnerable to an authenticated RCE, which we leverage to get a shell. Once in, we can use Print Spoofer to escalate privileges to SYSTEM.
