Cron Jobs Gone Wild (ine)

 In this lab, we have compromised a machine but we only have access as the low privileged user called student. This means that if we try to enumerate cronjobs using techniques such as looking at the crontable, we will not see those which have been scheduled to run as root.

We therefore need to enumerate the cronjobs in different ways. One way is to use the pspy tool. This shows running processes including cronjobs scheduled by root. Another way is to enumerate the box looking for interesting files and tar archives.

We want to look for files which we can write to just in case they are being used by a cronjob and we can amend them. The command to use is:

find / -path /proc -prune o -type f -perm -o+w 2>/dev/null

We want to look into interesting tar archives as they might be backing up directories via a cronjob using the * wildcard. This can be exploited to elevate our privileges. In order to unarchive and unzip a tar.gz file, we can use:

tar -zxvf monitor.tar.gz



Whilst enumerating this box, we find an interesting tar.gz file in the /tmp directory. It is always worth checking the /tmp directory along with /var/tmp and /dev/shm We need to remember to look for hidden files as well as unhidden files.

One command we can use to enumerate all of the above temporary directories is:

ls -l /tmp /var/tmp /dev/shm

After extracting the tar.gz file we see five files are in it. We search for them and see that they are all in one directory. This makes us wonder if a cronjob is backing up this directory.


In order to test our theory, we create a new file and wait to see if it turns up in the tar.gz file.



Now that we know that a cronjob is indeed backing up the directory using a wildcard, we can navigate to the backed up directory to start exploiting the vulnerability.

We need to create a shell script which will do something malicious. We could open a reverse shell to a remote machine under our control, add the student user to the sudoers group, make a copy of /bin/bash and set the suid bit on it or as in this example use netcat to open a local shell.

The command we use is:

printf '#! /bin/bash\nnc -e /bin/bash 127.0.0.1 1234' > shell.s

We need to make it executable using:

chmod +x shell.sh

We now create empty files which have tar switches as their filenames. This is so when tar encounters them as it is backing up the directory, it interprets them as commands.

The first one is:

--checkpoint=1

This will force tar to pause and look for a command to execute. This command will be given in the next filename:

--checkpoint-action=exec=sh shell.sh



The specific commands needed to create the empty files with malicious filenames are:

touch "/var/log/monitor/--checkpoint-action=exec=sh shell.sh"

touch "/var/log/monitor/--checkpoint=1"

We have gained a root shell by exploiting the use of a tar * running as a root cronjob.

To finish this lab, we can have a look at the crontable for the root user to prove what we already know.


We could now set up a new cronjob as the root user which calls out to a machine which we control so we can gain persistence. We could then clean up by removing the malicious files we created.


I hope this was of use.

puzz00






Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more