Skip to content

Screen & Cron Jobs

Vulnerable services

  • screen -v
    • Screen v4.5.0
    • privesc due to lack of a permissions check when opening a log file.
    • This allows an attacker to truncate any file or create a file owned by root in any directory and ultimately gain full root access.
  • run the ~/tool/screen/screen-exploit.sh

Cron Job Abuse

  • Cron jobs can also be set to run one time (such as on boot)
    • used for admin tasks like running backups, cleaning dirs.
  • crontab creates a cron file (/var/spool/cron), which will be run by the cron daemon on the schedule specified.
  • Each entry in the crontab file requires six items in the following order:
    • minutes, hours, days, months, weeks, commands.
    • 0 */12 * * * /home/admin/backup.sh would run every 12 hours.
  • The root crontab is almost always only editable by the root user or a user with full sudo privileges
  • Certain applications create cron files in the /etc/cron.d directory and may be misconfigured to allow a non-root user to edit them.

Looking for writable files and dirs

  • find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null
  • Looking inside the folders mentioned above we can deduct that a file is created every 3 minutes.
    • also, the backup.sh file seems writable and can run as root.
    • if we can edit that (as a reverse shell), the cron file will run it as root

PSPY - https://github.com/DominicBreuker/pspy

  • scans the procfs
  • ./pspy64 -pf -i 1000
    • -pf flag tells the tool to print commands and file system events
    • -i 1000 tells it to scan procfs every 1000ms (or every second).
  • Wait for the output.
  • we see a backup.sh file being run from /dmz-backup
  • we edit it and add a reverse shell to our machine
  • start the nc listener
  • save the backup.sh file