SpiderSociety_spiderbackup.service

spiderbackup.service

---

A writable service has been identified by PEAS on the spidersociety host; spiderbackup.service

spidey@spidersociety:/dev/shm$ systemctl status spiderbackup.service
○ spiderbackup.service - Spider Society Backup Service
     Loaded: loaded (/etc/systemd/system/spiderbackup.service; enabled; preset: enabled)
     Active: inactive (dead) since Wed 2025-04-23 07:44:05 UTC; 2 months 3 days ago
   Duration: 191ms
   Main PID: 1147 (code=exited, status=0/SUCCESS)
        CPU: 94ms
 
Warning: some journal files were not opened due to insufficient permissions.
 
 
spidey@spidersociety:/dev/shm$ cat /etc/systemd/system/spiderbackup.service
[Unit]
Description=Spider Society Backup Service
After=network.target
 
[Service]
Type=simple
ExecStart=/usr/local/bin/spiderbackup.sh
User=root
Group=root
 
[Install]
WantedBy=multi-user.target
spidey@spidersociety:/dev/shm$ ll /etc/systemd/system/spiderbackup.service
-rw-rw-r-- 1 spidey spidey 193 Apr 14 17:53 /etc/systemd/system/spiderbackup.service

The spiderbackup.service service executes a Bash script, /usr/local/bin/spiderbackup.sh, as the root account. Additionally, the spidey user has sudo privileges to reload and restart the spiderbackup.service service. Thus, this is a privilege escalation vector.

/usr/local/bin/spiderbackup.sh

---

spidey@spidersociety:/dev/shm$ cat /usr/local/bin/spiderbackup.sh
#!/bin/bash
zip -r /backup/spidersociety_backup.zip /var/www/html
 
spidey@spidersociety:/dev/shm$ ll /usr/local/bin/spiderbackup.sh
-rwxr-xr-x 1 root root 66 Apr 14 17:53 /usr/local/bin/spiderbackup.sh*

The Bash script is owned by the root account and is not writable. It archives the /var/www/html directory into the /backup/spidersociety_backup.zip file.