how are we supposed to know that logrotate will rotate the files in the backup folder? â â â â
i went to check into /etc/logrotate.d/ and found the mon config file, that is set to rotate hourly, in our own /home/htb-student/mon/. created the folder and a mon.log file with some content in it. waited two hours. logrotate didnât run. LOL. that seemed to be the most âlogicalâ way to follow whatâs going on on that box, rather than having to âguessâ. not the first time that i find those questions and challenges rather dumb, personally.
so yeah. ultimately: pushed pspy (32) on the box, ran it, and saw that logrotate runs every 5 seconds. the conf is at /root/log.conf so canât read it. hence need to guess which files are rotated, and whether itâs create or compress. long story short the rotated file is at ~/backups/access.log and itâs create. then i echoed some â â â â in the file and VERY QUICKLY ran logrotten. if logrotate rotates before lauching logrotten itâs dead. and of course we have to launch logrotten only after weâve edited the access.log. tried to run some sleep etc. but didnât work for whatever reason. anyways, after logrotten did its job i had a few second to get the flag from nc listening lol. doesnât feel that easy.
when you do it it should not say waiting for rotation. you can do a one liner like this âecho test > backups/access.log && ./logrotten -p ./payload ~/backups/access.logâ make sure youre pointing at the right files. when it doesnt say rotating and it says âWaiting 1 seconds before writing payloadâŚâ thats when you keep spamming the logrotten command (give it like 20 seconds then do it again if it doesnt work) until it can connect to your rev shell
It should be mentioned that there is a logic and configuration problem with the exercise. The logrotate configuration is normally supposed to include the /etc/logrotate.d files, therefore the /home/htb-student/mon/mon.log file:
Logically it would have been enough to create the file /home/htb-student/mon/mon.log, fill the content so that it exceeds 1k, wait 1 hour. But the exploit does not work, because the file is not rotted.
Just want to be clear and fix your summary.
I triggered the log rotate after I ran the command â/logrotten -p ./payload /home/htb-student/backups/access.logâ
And guys, open another terminal of ssh in order to do that fast and be ready to run the âcat flag.txtâ command. The root access will be gone fast.
I am over 100% sure that this lab does not function properly, this whole lab is simple enough to get the hang of. I was able to catch a rev shell once, every other time nothing else happens, I check the symlinks and there is nothing there.
EDIT: it finally worked, it took at least 25x attempts of running the echo command then the logrotten command as a one liner, it finally worked when I ran them as separate commands very quickly. Annoying lab.