InfoSec LAB

Hunit_git-server

Created: 3 min read

git-server

After performing a manual system enumeration, I found an interesting directory at the system root

[dademola@hunit /]$ ll git-server
total 40K
4.0K drwxr-xr-x 18 root root 4.0K Nov 10  2020 ..
4.0K drwxr-xr-x  7 git  git  4.0K Nov  6  2020 .
4.0K drwxr-xr-x 16 git  git  4.0K Nov  6  2020 objects
4.0K -rw-r--r--  1 git  git    23 Nov  5  2020 HEAD
4.0K drwxr-xr-x  2 git  git  4.0K Nov  5  2020 branches
4.0K -rw-r--r--  1 git  git    66 Nov  5  2020 config
4.0K -rw-r--r--  1 git  git    73 Nov  5  2020 description
4.0K drwxr-xr-x  2 git  git  4.0K Nov  5  2020 hooks
4.0K drwxr-xr-x  2 git  git  4.0K Nov  5  2020 info
4.0K drwxr-xr-x  4 git  git  4.0K Nov  5  2020 refs

The git-server directory appear to be a typical .git directory

log

[dademola@hunit /]$ cd git-server/ ; git log
commit b50f4e5415cae0b650836b5466cc47c62faf7341 (HEAD -> master)
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 21:05:58 2020 -0300
 
    testing
 
commit c71132590f969b535b315089f83f39e48d0021e2
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 20:59:48 2020 -0300
 
    testing
 
commit 8c0bc9aa81756b34cccdd3ce4ac65091668be77b
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 20:54:50 2020 -0300
 
    testing
 
commit 574eba09bb7cc54628f574a694a57cbbd02befa0
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 20:39:14 2020 -0300
 
    Adding backups
 
commit 025a327a0ffc9fe24e6dd312e09dcf5066a011b5
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 20:23:04 2020 -0300
 
    Init

The 574eba09bb7cc54628f574a694a57cbbd02befa0 commit looks appealing as the comment mentions backups

574eba09bb7cc54628f574a694a57cbbd02befa0 Commit

[dademola@hunit git-server]$ git show 574eba09bb7cc54628f574a694a57cbbd02befa0
commit 574eba09bb7cc54628f574a694a57cbbd02befa0
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 20:39:14 2020 -0300
 
    Adding backups
 
diff --git a/backups.sh b/backups.sh
new file mode 100644
index 0000000..5a959db
--- /dev/null
+++ b/backups.sh
@@ -0,0 +1,5 @@
+#!/bin/bash
+#
+#
+# # Placeholder
+#
(END)

There is the backups.sh file and it’s an empty Bash script But this might be the Bash script that the root cronjob is running

[dademola@hunit tmp]$ git clone file:///git-server 
Cloning into 'git-server'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 12 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (12/12), done.
Resolving deltas: 100% (2/2), done.
 
[dademola@hunit tmp]$ cd git-server ; ls
NEW_CHANGE  README  backups.sh

Cloning the /git-server repository into the /var/tmp directory

Because the root cronjob process is pulling from the /git-server directory and executing the backups.sh Bash script, if I can modify the backups.sh file and push the change to the main branch I can leverage the cronjob to get code execution as the root user.

Moving on to the Privilege Escalation phase

Interactive Graph View

Backlinks