Cron
A root cronjob process was initially discovered and identified. This was also enumerated by PEAS and PSPY has captured its execution flow at a later stage.
[alfredo@fedora ~]$ cat /etc/crontab | grep -v '^#'
SHELL=/bin/bash
PATH=/sbin:/bin:/usr/sbin:/usr/bin
MAILTO=root
*/1 * * * * root /usr/local/bin/backup-flask.shIt’s executing a Bash script, /usr/local/bin/backup-flask.sh, as the root account
/usr/local/bin/backup-flask.sh
[alfredo@fedora ~]$ ll /usr/local/bin/backup-flask.sh
-rwxr-xr-x. 1 root root 106 Mar 28 2023 /usr/local/bin/backup-flask.sh
[alfredo@fedora ~]$ cat /usr/local/bin/backup-flask.sh
#!/bin/sh
export PATH="/home/alfredo/restapi:$PATH"
cd /home/alfredo/restapi
tar czf /tmp/flask.tar.gz *- The Bash script sets the
/home/alfredo/restapidirectory into the PATH variable.- PEAS has identified the misconfigured PATH variable. This Bash script is the cause of it.
- Then it performs an archiving operating using tar without its absolute path
Given the /home/alfredo/restapi directory is controlled by the current user, alfredo, and the tar executable is called without its absolute path, code execution is achievable by placing a malicious tar executable into the /home/alfredo/restapi directory.
Moving on to the Privilege Escalation phase