📦 Phasing Through Printers

Vulnerability:
Command injection in CGI script (search.c)
User input concatenated directly into popen() command

The search.c program takes user input from the query string, URL-decodes it, and directly concatenates it into a shell command without any sanitization:

Initial Access:

Inject commands via URL parameter q
Running as www-data user

Privilege Escalation:

Found SUID binary: /usr/local/bin/admin_help
Binary executes /tmp/wish.sh as root
Filters for "bad strings" in script

-rwsr-xr-x 1 root root 16416 Sep 29 13:09 admin_help

There's a custom SUID binary called admin_help in /usr/local/bin/ that runs as root, this is our privilege escalation vector.

Exploit:

Create /tmp/wish.sh with payload
Run admin_help to execute as root
Read /root/flag.txt