how are we supposed to know that logrotate will rotate the files in the backup folder? ■■■■
i went to check into /etc/logrotate.d/ and found the mon config file, that is set to rotate hourly, in our own /home/htb-student/mon/. created the folder and a mon.log file with some content in it. waited two hours. logrotate didn’t run. LOL. that seemed to be the most “logical” way to follow what’s going on on that box, rather than having to “guess”. not the first time that i find those questions and challenges rather dumb, personally.
so yeah. ultimately: pushed pspy (32) on the box, ran it, and saw that logrotate runs every 5 seconds. the conf is at /root/log.conf so can’t read it. hence need to guess which files are rotated, and whether it’s create or compress. long story short the rotated file is at ~/backups/access.log and it’s create. then i echoed some ■■■■ in the file and VERY QUICKLY ran logrotten. if logrotate rotates before lauching logrotten it’s dead. and of course we have to launch logrotten only after we’ve edited the access.log. tried to run some sleep etc. but didn’t work for whatever reason. anyways, after logrotten did its job i had a few second to get the flag from nc listening lol. doesn’t feel that easy.
when you do it it should not say waiting for rotation. you can do a one liner like this “echo test > backups/access.log && ./logrotten -p ./payload ~/backups/access.log” make sure youre pointing at the right files. when it doesnt say rotating and it says “Waiting 1 seconds before writing payload…” thats when you keep spamming the logrotten command (give it like 20 seconds then do it again if it doesnt work) until it can connect to your rev shell
It should be mentioned that there is a logic and configuration problem with the exercise. The logrotate configuration is normally supposed to include the /etc/logrotate.d files, therefore the /home/htb-student/mon/mon.log file:
Logically it would have been enough to create the file /home/htb-student/mon/mon.log, fill the content so that it exceeds 1k, wait 1 hour. But the exploit does not work, because the file is not rotted.
Just want to be clear and fix your summary.
I triggered the log rotate after I ran the command “/logrotten -p ./payload /home/htb-student/backups/access.log”
And guys, open another terminal of ssh in order to do that fast and be ready to run the “cat flag.txt” command. The root access will be gone fast.
I am over 100% sure that this lab does not function properly, this whole lab is simple enough to get the hang of. I was able to catch a rev shell once, every other time nothing else happens, I check the symlinks and there is nothing there.
EDIT: it finally worked, it took at least 25x attempts of running the echo command then the logrotten command as a one liner, it finally worked when I ran them as separate commands very quickly. Annoying lab.
This wasn’t a great lab - the payload file works maybe once every 20 times.
however it eventually worked. what I found helped was to increase the time for logrotten to 10 seconds.
also a neat trick that I found out doing this lab is you can ‘stage’ commands in nc. A few of the comments have said you have to be quick but if you just type your command and hit enter while nc is listening it will run it as soon as it connects
you can also do this without a reverse shell if you play with the payload. You are just running a command as root after all
If anyone else is struggling with this please remember. As per @zjkmxy comment, this works around 1 in every 20 attempts. I could not get this to work ever time. I just kept hitting up arrow and enter to run the exact same command again and again and again until it worked.
Remember, the payload can be whatever you want. As others have mentioned a shell will be closed down after 5 seconds. You can still get the flag in this time frame but I just used NC to send the contents of /root/flag.txt to my listener. Just another way to do it and easy way of dealing with the time constraint.