Linux Privilege Escalation > Logrotate

Hello. I have been stuck with the Logrotate section for a whole day. The actual setting of the box is significantly different from what is taught:

  • There is some fake config files in /etc/logrotate.d but they are never executed. The actual configuration file lies in the /root folder, which I have no access to.
  • There is also a task cleaning up /etc/bash_completion.d folder (rm *.log*) very frequently so I have no chance to write anything into the created access.log.

Really appreciate it if someone could give me some hints on how to handle this.

Somehow the problem got fixed today. Don’t know how but thanks.

Hi, I’m struggling with this too. I wonder, how is the exploit supposed to work on the target? I can’t find that config file too. Supposedly correctly compiled and launched exploit says: “Waiting for rotating” with nc listening in a neighbouring pane… just as usual.

1 Like

Yes, that was a bit tricky that the box is slightly different from the lesson’s example:
The explanation form @zjkmxy was really helpful, also can recommend this article (quite same set up as the box), also uses different payload


were you able to figure this out? The /etc/logrotate.conf is not even there…

No. The box is specially designed so that the configuration file is inaccessible (/root/logrotate.conf if my memory is correct). You only need to figure out the correct log file, no need to read the conf.

Sorry, can you clarify a bit on the correct log file and how do I find it? It has to be owned by root and writable to us right?

Not really. The log file needs to be writable to us, but not necessarily owned by root.
You can try to echo some random contents into every log file you found. After a while, one log file will be rotated (that is, XXX.log becomes empty again and your content were put into XXX.log.1). That is our target.

I’m up to the last step? with this challenge but cannot get Logrotten to write /etc/bash_completion.d/XXXXXX.log file.

When running Logrotten and triggering it, I get the below, but no log file.

Waiting 1 seconds before writing payload...

Has anyone else had this issue? I’ve used Logrotten and payload files compiled on my machine and the target machine but no luck. Am I missing something??

EDIT: Reset the box, used a previous version of Logrotten and got it working.

1 Like

there’s only one log file that’s writable to us and that’s access.log, that I can find atleast…

Finished this task - this was a bit diging. The reverse shell has a limited time to interact … i came up to copy dash and set the suid on it, after it you don’t have to hustle so fast ^^.

I’m still having trouble with this one. I see the copy with payload in /etc/bash_completion.d and get it gets deleted, but the payload doesn’t execute.

Maybe you can try multiple times? And also try to use some faster non-interactive payload first.

Yep, helped for me too. Thanks a lot! They weren’t kidding when they said you need to be fast though. LOL.

Note: when execute /bin/dash, you might need the -p flag to not drop setuid privilege

1 Like

Yes exactly

I am blocked in this exercise, I have accessed with ssh and I have seen that there is the backups folder with acces.log and acces.log. But I don’t know where the achievement file is, if someone could help me I would be grateful.

did you do it?

not yet, I’m still trying

Friend, i did it right now, if you want i can help you