pythonapp.service
[cmeeks@hetemit ~]$ systemctl status pythonapp.service
● pythonapp.service - Python App
Loaded: loaded (/etc/systemd/system/pythonapp.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2024-08-02 21:41:48 UTC; 6 months 3 days ago
Main PID: 1395 (flask)
Tasks: 2 (limit: 23827)
Memory: 33.5M
CGroup: /system.slice/pythonapp.service
└─1395 /usr/bin/python3.6 /usr/local/bin/flask run -h 0.0.0.0 -p 50000pythonapp.service was initially enumerated and later identified to be modifiable by the current user, cmeeks
[cmeeks@hetemit ~]$ ll /etc/systemd/system/multi-user.target.wants/pythonapp.service
lrwxrwxrwx 1 root root 37 Nov 13 2020 /etc/systemd/system/multi-user.target.wants/pythonapp.service -> /etc/systemd/system/pythonapp.serviceThere is a symbolic link in the multi-user.target.wants directory
This would allow systemd to start the service at boot time
[cmeeks@hetemit ~]$ cat /etc/systemd/system/pythonapp.service
[Unit]
Description=Python App
After=network-online.target
[Service]
Type=simple
WorkingDirectory=/home/cmeeks/restjson_hetemit
ExecStart=flask run -h 0.0.0.0 -p 50000
TimeoutSec=30
RestartSec=15s
User=cmeeks
ExecReload=/bin/kill -USR1 $MAINPID
Restart=on-failure
[Install]
WantedBy=multi-user.target
The service file explicitly set the security context; User=cmeeks
However, the cmeeks user is able to modify the file to have it executed under the root account
Additionally, the user has sudo privilege to reboot the system
Moving on to the Privilege Escalation phase