Day 30: Abusing Cron for Privilege Escalation (Nebula Level03)
Abusing Cron
The challenge provides a hint:
Check the home directory of flag03 and take note of the files there. There is a crontab that is called every couple of minutes.
These types of issues are common in easy CTFs, CTF VMs and more. The issue is generally when a command running as another use can be abused in some way, in linux most common ones that can be abused are wildcards * and directory trees. Today we will focus on a wildcard command that will enable us to do whatever we need to as the user, in this case flag03 because this cronjob runs as that user.
Solution #1
In our bash script we will use “chmod +s” as that sets user or group ID on execution, exactly what we want to spawn shell as user flag03.
First let’s create our exploit, we first need to know the user we want to mimic, since it’s a CTF VM we know it’s flag03, so we can run the following command:
level03@nebula:/home/flag03$ cat /etc/passwd | grep "flag03"
flag03:x:996:996::/home/flag03:/bin/shOk, so id 996, then the shell.c file should look like this…
shell.c
Now let’s create the ‘glue’ the script that will run as flag03, copy our shell, SetUID/GID and make it executable…
pwn.sh
Commands are run as follows:
nano /tmp/shell.c
cd /home/flag03/writeable.d/
nano pwn.sh
chmod +x pwn.sh
I have some great cron priv. esc. examples in the archives from old jobs/ctfs, when I get a change I will update this post on all things cron based priv. esc.
