InfoSec LAB

Time_System_Timer

Created: 1 min read

System Timer

I initially discovered a system timer running very frequently, it was later then confirmed by both PSPY and PEAS

It’s executing a bash script located at /usr/bin/timer_backup.sh

timer_backup.sh

pericles@time:/home/pericles$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip

The bash script itself does the following

  • archives the whole web directory recursively; /var/www/html
  • moves the archive to /root/backup.zip
pericles@time:/home/pericles$ ll /usr/bin/timer_backup.sh
4.0K -rwxrw-rw- 1 pericles pericles 88 Mar 21 14:10 /usr/bin/timer_backup.sh

Most importantly, I can write to it as the current user has ownership over the bash script This was discovered though PEAS

This means that I can just overwrite to the script with something else to have systemd-udevd execute it as the root user

Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks