InfoSec LAB

Traverxec_server-stats

Created: 3 min read

server-stats

david@traverxec:~$ ll
total 36K
4.0k -r--r----- 1 root  david   33 sep 17 03:25 user.txt
4.0K drwx--x--x 5 david david 4.0K Oct 25  2019 .
4.0K drwx------ 2 david david 4.0K Oct 25  2019 .ssh
4.0K drwx------ 2 david david 4.0K Oct 25  2019 bin
   0 lrwxrwxrwx 1 root  root     9 Oct 25  2019 .bash_history -> /dev/null
4.0K drwxr-xr-x 3 david david 4.0K Oct 25  2019 public_www
4.0K -rw-r--r-- 1 david david  220 Oct 25  2019 .bash_logout
4.0K -rw-r--r-- 1 david david 3.5K Oct 25  2019 .bashrc
4.0K -rw-r--r-- 1 david david  807 Oct 25  2019 .profile
4.0K drwxr-xr-x 3 root  root  4.0K Oct 25  2019 ..

Upon gaining a lateral movement to the david user, I found the bin directory within the home directory of the user

david@traverxec:~$ cd bin ; ll
total 16K
4.0K drwx--x--x 5 david david 4.0K Oct 25  2019 ..
4.0K drwx------ 2 david david 4.0K Oct 25  2019 .
4.0K -r-------- 1 david david  802 Oct 25  2019 server-stats.head
4.0K -rwx------ 1 david david  363 Oct 25  2019 server-stats.sh

There are 2 files; server-stats.head and server-stats.sh

server-stats.head

david@traverxec:~/bin$ cat server-stats.head
                                                                          .----.
                                                              .---------. | == |
   Webserver Statistics and Data                              |.-"""""-.| |----|
         Collection Script                                    ||       || | == |
          (c) David, 2019                                     ||       || |----|
                                                              |'-.....-'| |::::|
                                                              '"")---(""' |___.|
                                                             /:::::::::::\"    "
                                                            /:::=======:::\
                                                        jgs '"""""""""""""'

The server-stats.head file appears to be an ASCII art header file

server-stats.sh

david@traverxec:~/bin$ cat server-stats.sh 
#!/bin/bash
 
cat /home/david/bin/server-stats.head
echo "load: `/usr/bin/uptime`"
echo " "
echo "open nhttpd sockets: `/usr/bin/ss -H sport = 80 | /usr/bin/wc -l`"
echo "files in the docroot: `/usr/bin/find /var/nostromo/htdocs/ | /usr/bin/wc -l`"
echo " "
echo "last 5 journal log lines:"
/usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

The server-stats.sh file appears to fetches various server statistics, including server load, open HTTP sockets, the number of files in a specific directory, and the last 5 entries from the system’s journal log, and presents them in a structured format. The most important part is that it executes a sudo command; /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat

Although it is not possible to check for the sudo privileges of the user since the password is not known at this point, I can assume that /usr/bin/sudo /usr/bin/journalctl -n5 -unostromo.service | /usr/bin/cat is the sudo privilege of the david user based on the server-stats.sh file

As shown above, I am able to execute the sudo command with UID=0

journalctl + less

According to the GTFObins, journalctl could be abused for privilege escalation if configured to run by sudo

Additionally, journalctl invokes the default pager, less, which was confirmed above.

Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks