💥Exploiting Misconfigured Cron Jobs

Cron Jobs

  • Linux implements task scheduling through a utility called Cron.

  • Cron is a time-based service that runs applications, scripts and other commands repeatedly on a specified schedule.

  • An application, or script that has been configured to be run repeatedly with Cron is known as a Cron job. Cron can be used to automate or repeat a wide variety of functions on a system, from daily backups to system upgrades and patches.

  • The crontab file is a configuration file that is used by the Cron utility to store and track Cron jobs that have been created.

Exploiting Misconfigured Cron Jobs

  • Cron jobs can also be run as any user on the system, this is a very important factor to keep an eye on as we will be targeting Cron jobs that have been configured to be run as the “root” user.

  • This is primarily because, any script or command that is run by a Cron job will run as the root user and will consequently provide us with root access.

  • In order to elevate our privileges, we will need to find and identify cron jobs scheduled by the root user or the files being processed by the cron job.

Attack Flow: Gaining Privilege via Cron Jobs

1. Identify Cron Jobs for the Current User

Start by listing all cron jobs for the user account you have access to:

crontab -l

If no cron jobs are listed or you need to check system-wide cron jobs, proceed to the next step.

2. Search for Cron Job Files with Higher Privileges

Look for files related to cron jobs that might be owned by higher-privileged users. Use the grep command to find references to these files:

grep -rnw /usr -e "<file_path>"

Replace <file_path> with the path to the cron job file you found. This command will search for occurrences of the file path in /usr directory.

3. Inspect the Results

Review the files listed by the grep command. Look for files that you can edit and that have an associated cron job.

4. Append Code to Gain Sudo Permissions

If you find an editable file associated with a cron job, append the following code to it to grant yourself sudo permissions:

printf '#!/bin/bash\necho "<your_user> ALL=NOPASSWD:ALL" >> /etc/sudoers' > <vulnerable_file>

Replace <your_user> with your actual username and <vulnerable_file> with the path to the file you are modifying.

5. Wait for the Cron Job to Execute

The cron job will run at its scheduled time. You need to wait for it to complete.

6. Verify Your Sudo Permissions

After the cron job runs, check if you have gained sudo permissions:

sudo -l

If you see that you have NOPASSWD permissions, you have successfully escalated your privileges.

Hacker's Mantra:Never underestimate the determination of a kid who is time-rich and cash-poor. - Cory Doctorow

PreviousLinux Kernel ExploitsNextExploiting SUID Binaries

Last updated