In a pentester's perspective Cron Jobs are one of may ways you can get SYSTEM to perform a task or a set of tasks. Jobs are scheduled periodically with freedom to perform tasks daily, weekly, monthly and so on. It is a convenient way for automatic updates, creating backups and is achieved by running scripts or executing commands periodically.
Below is how a crontab entries would look like!
**Example of job definition:**
.---------------- minute (0 - 59)
| .------------- hour (0 - 23)
| | .---------- day of month (1 - 31)
| | | .------- month (1 - 12) OR jan,feb,mar,apr ...
| | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
| | | | |
* * * * * user-name command to be executedCron Jobs can be found in /var/spool/cron/crontabs and should be accessible only by root. Scheduled Cron Jobs can be listed using command and what this particular job does is obvious from the below script.
# crontab -l
* * * * * cd /scripts; for f in *.py; do python "$f"; doneLet's dive in to get some shells!
Firstly lets get nmap to scan our target machine.
Apparently there is a web server running, you can initiate a Nikto scan to enumerate more and meanwhile visit the site.
Nikto shows there is /dev/ directory listing, and there is much to discover. Listing has two links :
Have a look at phpbash.php file and will link the details: https://github.com/arrexel/phpbash read through! What this does is gives you a code execution capability which can also be used to drop web shell on vulnerable websites. Good to Know! Enumerating more into the system (LinuxPrivChecker.py or cat /etc/passwd), bring to you two user accounts of which scriptmanager (isnt that an unusual name? Hmm) interests more due to fact that it can access /scripts folder in root directory.
Amazing! we can see a few scripts with .py extension. Thats not it, after a lot of drama to the point where frustration was so high that i left my listening port open for a long time and a downloaded reverse shell script in /scripts folder, at the same time trying to mess around with some other files. I got back to my listening shell and there you go, root dance with Cron-Jobs!
Cheers!