Linux Privilege Escalation > Logrotate

A helpful thing I found on this one, was that once you get it to kick a shell back to you, have a second listener ready and quickly paste in a second reverse shell before the connection closes, this closed the 2nd shell right away and kicked back to the first shell which remained open and let me have plenty of time on the target.

I can’t run logrotten and i am not able to clone it using git clone.Anyone has an idea how to solve this issue.

1 Like

yeah you have to trigger the log rotate yourself, this post shows you how to trigger it HackTheBox – Book | Ivan's IT learning blog, but you also need need to do something for the payload to execute and I recommend using the suid bit payload on bash cause you gotta be really fast for the reverse shell. I made a post asking for help some awesome person posted screenshots. I’ll give you a hint if you don’t wanna look for it: it requires you to remove a file

Can you explain why bash and dash drop seuid privilege? I thought when file set with +s i always obtain privilege of owner. Does it feature of bash skip privilege or system?

Someone else can correct me if I’m wrong, but I believe it’s the decision of the ones who write bash and dash source code. A root program can set it effective uid to be the uid of any user. Therefore, I think in bash/dash source code has a line where it checks whether the -p flag is declared, and set the euid of the running bash/dash program from root to the uid of the user that calls the program. Once the program euid is dropped to a normal user, the program itself cannot change its euid back to root anymore. You will need to terminate that program and run a new one. You can read bash/dash source code (it is written in C) to confirm what I said here

1 Like

hey man.
any tips on this?

I do echo ‘some shits’ > ./backups/access.log
then I’m running logrotten but nothing happens.


You should echo ‘messagw’ > ./backups/access.log several time and if first time nothing happens.
you should run ./logrotten again and add newmessage unique before

  1. Open the ssh session in another terminal
  2. Run echo hi >> ~/backup/access.log
  3. Keep the rotation running

Good Luck !!!

Its fine i made it. Also uploaded a video on youtube so other people who stuck can help themself.

Try when opening the second terminal, without changing the directory, to run echo hi >> ~/backup/access.log while rotation is running on the first terminal!

1 Like

I’m getting this error: ./logrotten: /lib/x86_64-linux-gnu/ version GLIBC_2.34’ not found (required by ./logrotten)`
I can’t install anything in the target so I don’t know how to solve the problem

If anyone need help with this can PM me

1 Like

Holy ■■■■ did I get hung up on this one. I’m not sure what my issue even was. I had the right log file. I had a good payload. I could trigger the rotation. I could see logrotten made the temporary symbolic link. However, no file was ever being written to the target dir. After contacting @tonymustgo for help, I decided to reset my instance and try again. Suddenly everything worked!!

Edit: One thing I did different after the reset was I used scp to copy logrotten.c over (thanks again for that suggestion @tonymustgo) where before I was using wget. So not sure if that caused my issue somehow.

1 Like

need help