Cron Jobs
/etc/crontab
What are Cron Jobs?
In Linux, scheduled tasks are called cron jobs. Cronjobs are defined in /etc/crontab (cron table). If we are able to write malicious payload to a script that is executed automatically every minute or so, then this payload will be triggered as root because of the cronjob.
Enumeration
Enumerate crontab:
cat /etc/crontabFor example:
Here five asterisks means "every minute of every day of every week of every month, that command runs", hence overwrite.sh and /usr/local/bin/compress.sh will be executed every minute.
If we don't have permission to read /etc/crontab, pspy can help us identify scheduled tasks as well.
Method 1: Cron Path
Recall the crontab:
Note that overwrite.sh is executed using relative path and the $PATH variable is:
If we create a malicious overwrite.sh in /home/user, then this malicious script will be executed as cronjob.
Create a malicious overwrite.sh in /home/user:
Don't forget to give it permission:
Wait a moment until you believe that this script gets executed. Try getting a root shell:
Method 2: Cron Wildcard
Recall the crontab:
Examine the content of /usr/local/bin/compress.sh:
Notice the wildcard used by tar. This script intends to backup the /home/user directory. Here we can store a privesc payload in /home/user/runme.sh and use tar injection to let cronjob execute the following command:
Create a privesc payload /home/user/runme.sh:
Give it permission:
Prepare tar injection part 1:
Prepare tar injection part 2:
Wait a moment until you believe that this script gets executed. Try getting a root shell:
Method 3: Cron File Overwrite
Recall the crontab:
Examine its permission:
Since this script is owned by root and it is executable, we can simply append a privesc payload (or reverse shell payload) to this file and wait for cronjob to execute it.
Ovewrite /usr/local/bin/overwrite.sh with a privesc payload:
Wait a moment until you believe that this script gets executed. Try getting a root shell:
Challenge: TryHackMe - CMesS
Last updated
Was this helpful?