Cron Jobs - PATH Environment Variable
Enumeration
We are going to exploit PATH Environment Variable to escalate our privileges to root. Let’s check the content of a crontab /etc/crontab
As you can see, the PATH variable starts with /home/user, which is our current user’s home directory . Since we have write permission to the directory, we can create a file with thesame name as overwrite.sh so that to be executed by the cronjab. This is possible because overwrite.sh script is not configured with it full path and it set to run with root privilege , thereby allowing us to hijack it.
Exploitation
Let’s create a script overwrite.sh with a reverse shell payload and place it in our home directory, so that to be executed automatically by cronjob.
We will setup a reverse shell listener and wait for an incoming connection.
Well…As you can see, we have obtained a shell with root privilege.