Hello. I have been stuck with the Logrotate section for a whole day. The actual setting of the box is significantly different from what is taught:
There is some fake config files in /etc/logrotate.d but they are never executed. The actual configuration file lies in the /root folder, which I have no access to.
There is also a task cleaning up /etc/bash_completion.d folder (rm *.log*) very frequently so I have no chance to write anything into the created access.log.
Really appreciate it if someone could give me some hints on how to handle this.
Hi, I’m struggling with this too. I wonder, how is the exploit supposed to work on the target? I can’t find that config file too. Supposedly correctly compiled and launched exploit says: “Waiting for rotating” with nc listening in a neighbouring pane… just as usual.
Yes, that was a bit tricky that the box is slightly different from the lesson’s example:
The explanation form @zjkmxy was really helpful, also can recommend this article (quite same set up as the box), also uses different payload
No. The box is specially designed so that the configuration file is inaccessible (/root/logrotate.conf if my memory is correct). You only need to figure out the correct log file, no need to read the conf.
Not really. The log file needs to be writable to us, but not necessarily owned by root.
You can try to echo some random contents into every log file you found. After a while, one log file will be rotated (that is, XXX.log becomes empty again and your content were put into XXX.log.1). That is our target.
I’m up to the last step? with this challenge but cannot get Logrotten to write /etc/bash_completion.d/XXXXXX.log file.
When running Logrotten and triggering it, I get the below, but no log file.
Waiting 1 seconds before writing payload...
htb-student@ubuntu:/tmp$
Has anyone else had this issue? I’ve used Logrotten and payload files compiled on my machine and the target machine but no luck. Am I missing something??
EDIT: Reset the box, used a previous version of Logrotten and got it working.
Finished this task - this was a bit diging. The reverse shell has a limited time to interact … i came up to copy dash and set the suid on it, after it you don’t have to hustle so fast ^^.
I’m still having trouble with this one. I see the copy with payload in /etc/bash_completion.d and get it gets deleted, but the payload doesn’t execute.
I am blocked in this exercise, I have accessed with ssh and I have seen that there is the backups folder with acces.log and acces.log. But I don’t know where the achievement file is, if someone could help me I would be grateful.