InfoSec LAB

Walla_raspapd.service

Created: 2 min read

raspapd.service

PEAS has identified that the current account, www-data, has write access to a service file; raspapd.service

www-data@walla:/$ ll /etc/systemd/system/multi-user.target.wants/raspapd.service
0 lrwxrwxrwx 1 root root 35 Sep 17  2020 /etc/systemd/system/multi-user.target.wants/raspapd.service -> /lib/systemd/system/raspapd.service

Sym-linked to the /lib/systemd/system/raspapd.service file

www-data@walla:/$ systemctl status raspapd.service
Warning: The unit file, source configuration file or drop-ins of raspapd.service changed on disk. Run 'systemctl daemon-reload' to reload units.
 raspapd.service - RaspAP Service Daemon
   Loaded: loaded (/lib/systemd/system/raspapd.service; enabled; vendor preset: enabled)
   Active: inactive (dead) since Fri 2024-08-02 17:20:33 EDT; 7 months 23 days ago
  Process: 1025 ExecStart=/bin/bash /etc/raspap/hostapd/servicestart.sh --interface uap0 --seconds 3 (code=exited, status=0/SUCCESS)
 Main PID: 1025 (code=exited, status=0/SUCCESS)

/lib/systemd/system/raspapd.service

/lib/systemd/system/raspapd.service

www-data@walla:/$ cat /lib/systemd/system/raspapd.service
### BEGIN INIT INFO
# Provides:          raspapd
# Required-Start:    $remote_fs $syslog
# Required-Stop:     $remote_fs $syslog
# Default-Start:     S 2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Start RaspAP daemon at boot time
# Description:       Enable service provided by daemon
### END INIT INFO
# Author: BillZ <billzimmerman@gmail.com>
 
[Unit]
Description=RaspAP Service Daemon
DefaultDependencies=no
After=multi-user.target
 
[Service]
Type=oneshot
ExecStart=/bin/bash /etc/raspap/hostapd/servicestart.sh --interface uap0 --seconds 3
RemainAfterExit=no
 
[Install]
WantedBy=multi-user.target
 
 
 
www-data@walla:/$ ll /lib/systemd/system/raspapd.service
4.0K -rw-r--r-- 1 www-data www-data 612 Aug  2  2024 /lib/systemd/system/raspapd.service

The current user has ownership to the service file; /lib/systemd/system/raspapd.service This would mean that I can modify the service file to get code execution with privileges of a different user Code execution occurs when the service is started, restarted or stopped, and it might just be possible given the sudo privileges granted to the www-data account

www-data@walla:/$ sudo systemctl daemon-reload
 
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
 
    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.
 
sudo: no tty present and no askpass program specified

The above vector is not possible because the current user is unable to perform daemon-reload

Interactive Graph View

Backlinks