Insecure File Permissions

In this attack method, we identify an executable that allows other users write access and it runs at an elevated privilege.

Crontab

Crontab, scheduler in Linux, is a prime target as system level scheduled jobs are executed with root user privileges. System administrators also make the mistake of creating cron jobs with insecure permissions.

We can look for cron jobs in 2 different ways. First by looking into the filesystem for installed cron jobs. This can be done by using the following command,

cat /etc/crontab

grep "CRON" /var/log/cron.log

There are times when not all cron jobs get listed (I am still trying to figure it out). In the mean time I came across this script created by Benjamin W of Stackoverflow to list all cron jobs of all users. Here's the link to the script that I have added to my Github account,

vapt/completecrontac.sh at main · SisyphusP42/vaptGitHub

Passwd File

The passwd file under the etc folder contains the list of users and it optionally stores the password hash of the user. When a user get authenticated the respective process checks the passwd file for the hash before moving on to the Shadow file, which contains the password hash.

If we were to have write access to this file, then we can manually add a user and password to this user. We can then login as that user with elevated privileges.

The hash to the password can be generated using the following command,

openssl passwd <password>

Then using the output of the previous command a new user similar to the root user can be added to the passwd file.

echo "root2:BK24fhifieu3I:0:0:root:/root:/bin/bash" >> /etc/passwd

PreviousDirtyPipe NextEnumerating Processes

Last updated 6 months ago