Cronjob
www-data@ubuntu-xenial:/dev/shm$ cat /etc/crontab | grep -v '^#'
SHELL=/bin/sh
PATH=/home/james:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root /usr/local/bin/backup.shA root cronjob was identified.
It’s executing the /usr/local/bin/backup.sh file as the root account
It was also enumerated by PEAS and the execution flow was captured by PSPY
/usr/local/bin/backup.sh
www-data@ubuntu-xenial:/dev/shm$ ll /usr/local/bin/backup.sh
4.0K -rwx---r-- 1 root root 54 Jan 17 2021 /usr/local/bin/backup.sh
www-data@ubuntu-xenial:/dev/shm$ cat /usr/local/bin/backup.sh
#!/bin/sh
cd /home/james/
tar czf /tmp/backup.tar.gz *The Bash script that gets executed by the root cronjob process has 2 critical issues;
- tar binary is being called without its absolute directory
- This could be exploitable if write access to the PATH variable is granted
- There is a wildcard character at the end of the tar command
- If the
/home/james/directory is writable, wildcard injection would be possible
- If the