malwarescan.sh
During the process enumeration, I found an unknown process executing a custom bash script; /usr/sbin/malwarescan.sh
PEAS was able to pick that up as well
emily@pilgrimage:/$ ll /usr/sbin/malwarescan.sh
4.0k -rwxr--r-- 1 root root 474 jun 1 19:14 /usr/sbin/malwarescan.sh
emily@pilgrimage:/$ cat /usr/sbin/malwarescan.sh
#!/bin/bash
blacklist=("Executable script" "Microsoft executable")
/usr/bin/inotifywait -m -e create /var/www/pilgrimage.htb/shrunk/ | while read FILE; do
filename="/var/www/pilgrimage.htb/shrunk/$(/usr/bin/echo "$FILE" | /usr/bin/tail -n 1 | /usr/bin/sed -n -e 's/^.*CREATE //p')"
binout="$(/usr/local/bin/binwalk -e "$filename")"
for banned in "${blacklist[@]}"; do
if [[ "$binout" == *"$banned"* ]]; then
/usr/bin/rm "$filename"
break
fi
done
doneWhile the permission bits aren’t rather interesting, the content is
- Extract the filename from the output of inotifywait using tail and sed commands, and store it in the variable
$filename. - Use the binwalk command to analyze the file and extract any embedded files (using the
-eoption) into a directory. - Check if the extracted files contain any banned strings defined in the
$blacklistarray.- If any banned string is found in the extracted files, the script removes the original file using the
rmcommand.
- If any banned string is found in the extracted files, the script removes the original file using the
- Repeat this process for any new files created in the directory indefinitely.
In summary, this script is a file monitoring script that automatically scans and removes files that contain specific banned strings within them. It can be used as a security measure to prevent the execution or distribution of certain types of files.
emily@pilgrimage:/$ /usr/local/bin/binwalk
Binwalk v2.3.2
Craig Heffner, ReFirmLabs
https://github.com/ReFirmLabs/binwalk
[...REDACTED...]Checking the installed binwalk reveal that its using the version 2.3.2
Binwalk 2.3.2 suffers from a RCE vulnerability
Moving on to Privilege Escalation phase