Flu_Cronjob

Cronjob

---

PSPY has captured the execution flow of the root cronjob process. It’s executing a Bash script; /opt/log-backup.sh The Bash script itself was also enumerated by PEAS as well

log-backup.sh

---

confluence@flu:/opt$ cat log-backup.sh
#!/bin/bash
 
CONFLUENCE_HOME="/opt/atlassian/confluence/"
LOG_DIR="$CONFLUENCE_HOME/logs"
BACKUP_DIR="/root/backup"
TIMESTAMP=$(date "+%Y%m%d%H%M%S")
 
# Create a backup of log files
cp -r $LOG_DIR $BACKUP_DIR/log_backup_$TIMESTAMP
 
tar -czf $BACKUP_DIR/log_backup_$TIMESTAMP.tar.gz $BACKUP_DIR/log_backup_$TIMESTAMP
 
# Cleanup old backups
find $BACKUP_DIR -name "log_backup_*"  -mmin +5 -exec rm -rf {} \;
 
 
 
 
confluence@flu:/opt$ ll log-backup.sh
4.0K -rwxr-xr-x 1 confluence confluence 408 Dec 12  2023 log-backup.sh

The Bash script simply archives the log directory, /opt/atlassian/confluence/logs to the /root/backup directory using tar with a timestamp. It also deletes old backups

Important bit here is that the log-backup.sh file is owned by the current user, confluence Moving on to the Privilege Escalation phase