how are we supposed to know that logrotate will rotate the files in the backup folder? ■■■■
i went to check into /etc/logrotate.d/ and found the mon config file, that is set to rotate hourly, in our own /home/htb-student/mon/. created the folder and a mon.log file with some content in it. waited two hours. logrotate didn’t run. LOL. that seemed to be the most “logical” way to follow what’s going on on that box, rather than having to “guess”. not the first time that i find those questions and challenges rather dumb, personally.
so yeah. ultimately: pushed pspy (32) on the box, ran it, and saw that logrotate runs every 5 seconds. the conf is at /root/log.conf so can’t read it. hence need to guess which files are rotated, and whether it’s create or compress. long story short the rotated file is at ~/backups/access.log and it’s create. then i echoed some ■■■■ in the file and VERY QUICKLY ran logrotten. if logrotate rotates before lauching logrotten it’s dead. and of course we have to launch logrotten only after we’ve edited the access.log. tried to run some sleep etc. but didn’t work for whatever reason. anyways, after logrotten did its job i had a few second to get the flag from nc listening lol. doesn’t feel that easy.
Did you get it? I have been waiting for nc as well.
I have tried many things… but still cannot get the shell… it keeps waiting for rotation…
when you do it it should not say waiting for rotation. you can do a one liner like this “echo test > backups/access.log && ./logrotten -p ./payload ~/backups/access.log” make sure youre pointing at the right files. when it doesnt say rotating and it says “Waiting 1 seconds before writing payload…” thats when you keep spamming the logrotten command (give it like 20 seconds then do it again if it doesnt work) until it can connect to your rev shell
Hello, thanks for your answer! I finally managed 
the way i did was:
host machine
nc -lvnp 9012
target:
echo test > /home/htb-student/backups/access.log
ASAP,
./logrotten -p ./shell /home/htb-student/backups/access.log
switch to your host machine and wait few seconds, be prepared to PASTE the command:
cat flag.txt
and copy the flag like a pro.
you only have few seconds to do this, so thats why you have to got the command prepared only to paste it! =D
“Sorry, can you clarify a bit on the correct log file and how do I find it? It has to be owned by root and writable to us right?”
htb-student@ubuntu:/tmp$ cat /var/lib/logrotate.status
logrotate state – version 2
“/home/htb-student/backups/access.log” 2024-6-28-13:52:33
just add a root user or change the root password as a payload 
do not use ~ but use the full absolute path instead: /home/htb-student/…
It should be mentioned that there is a logic and configuration problem with the exercise. The logrotate configuration is normally supposed to include the /etc/logrotate.d files, therefore the /home/htb-student/mon/mon.log file:
/home/htb-student/my/my.log {
hourly
rotate 5
notifempty
maxsize 1k
create
}
Logically it would have been enough to create the file /home/htb-student/mon/mon.log, fill the content so that it exceeds 1k, wait 1 hour. But the exploit does not work, because the file is not rotted.
The exercise is poorly done.
You can compile logrotten directly on box
or, as true malware developer, on your machine with oldest glibc version , using Docker
# image with GLIBC-2.31
FROM ubuntu:20.04
# Install gcc and lib for compilation
RUN apt-get update && apt-get install -y \
gcc \
libc6-dev \
&& rm -rf /var/lib/apt/lists/*
COPY logrotten.c /logrotten.c
RUN gcc -o logrotten /logrotten.c
CMD ["true"]
and run it
docker build -t glibc-2.31 .
docker run --rm -v "$(pwd)":/output glibc-2.31 /bin/bash -c "cp /logrotten.c /output/logrotten && gcc -o /output/logrotten /output/logrotten.c"
Thanks man, your summary helped me a lot.
Just want to be clear and fix your summary.
I triggered the log rotate after I ran the command “/logrotten -p ./payload /home/htb-student/backups/access.log”
And guys, open another terminal of ssh in order to do that fast and be ready to run the “cat flag.txt” command. The root access will be gone fast.
Thanks again
I am over 100% sure that this lab does not function properly, this whole lab is simple enough to get the hang of. I was able to catch a rev shell once, every other time nothing else happens, I check the symlinks and there is nothing there.
EDIT: it finally worked, it took at least 25x attempts of running the echo command then the logrotten command as a one liner, it finally worked when I ran them as separate commands very quickly. Annoying lab.
This wasn’t a great lab - the payload file works maybe once every 20 times.
however it eventually worked. what I found helped was to increase the time for logrotten to 10 seconds.
also a neat trick that I found out doing this lab is you can ‘stage’ commands in nc. A few of the comments have said you have to be quick but if you just type your command and hit enter while nc is listening it will run it as soon as it connects
you can also do this without a reverse shell if you play with the payload. You are just running a command as root after all
If anyone else is struggling with this please remember. As per @zjkmxy comment, this works around 1 in every 20 attempts. I could not get this to work ever time. I just kept hitting up arrow and enter to run the exact same command again and again and again until it worked.
Remember, the payload can be whatever you want. As others have mentioned a shell will be closed down after 5 seconds. You can still get the flag in this time frame but I just used NC to send the contents of /root/flag.txt to my listener. Just another way to do it and easy way of dealing with the time constraint.
Используй logrotten как описанно. потом запиши любой текст в файл.log → сохрани → быстро запусти и получишь обратную оболочку