Cron
Enumerating the system upon gaining a foothold reveals that there is a system level cronjob running
www-data@cronos:/var/www/laravel$ file /var/www/laravel/artisan
/var/www/laravel/artisan: a /usr/bin/env php script, ASCII text executable
www-data@cronos:/var/www/laravel$ ll /var/www/laravel/artisan
4.0K -rwxr-xr-x 1 www-data www-data 1.7K Apr 9 2017 /var/www/laravel/artisanit executes a php script with an argument; schedule:run
As discovered earlier, the current user (www-data) has a complete control over the entire directory let alone the file
www-data@cronos:/var/www/laravel$ cat artisan#!/usr/bin/env php
<?php
/*
|--------------------------------------------------------------------------
| Register The Auto Loader
|--------------------------------------------------------------------------
|
| Composer provides a convenient, automatically generated class loader
| for our application. We just need to utilize it! We'll require it
| into the script here so that we do not have to worry about the
| loading of any our classes "manually". Feels great to relax.
|
*/
require __DIR__.'/bootstrap/autoload.php';
$app = require_once __DIR__.'/bootstrap/app.php';
/*
|--------------------------------------------------------------------------
| Run The Artisan Application
|--------------------------------------------------------------------------
|
| When we run the console application, the current CLI command will be
| executed in this console and the response sent back to a terminal
| or another output device for the developers. Here goes nothing!
|
*/
$kernel = $app->make(illuminate\contracts\console\kernel::class);
$status = $kernel->handle(
$input = new Symfony\Component\Console\Input\ArgvInput,
new Symfony\Component\Console\Output\ConsoleOutput
);
/*
|--------------------------------------------------------------------------
| Shutdown The Application
|--------------------------------------------------------------------------
|
| Once Artisan has finished running. We will fire off the shutdown events
| so that any final work may be done by the application before we shut
| down the process. This is the last thing to happen to the request.
|
*/
$kernel->terminate($input, $status);
exit($status);
I will be t to hijack the binary