add some cron-based priv-esc attacks

andreashappe · andreashappe · commit 62ec3e8cbd04 · 2023-08-09T12:00:53.000+02:00
diff --git a/README.md b/README.md
@@ -1,5 +1,7 @@
 # create VMs with priv-esc vulnerabilities
 
+We need a benchmark for some priv-esc testing.. so let's utilize somes stuff from [hacktricks](https://book.hacktricks.xyz/linux-hardening/privilege-escalation)
+
 ## setup instructions
 
 This depends upon installed
@@ -49,6 +51,8 @@ my_machine$
 | `root_password_reuse` | user `root` has the same password as `lowpriv` |
 | `root_password_root` | user `root` has password `root` |
 | `root_allows_lowpriv_to_ssh` | user `lowpriv` has SSH keybased access to `root` |
+| `root_allows_lowpriv_to_ssh` | user `lowpriv` can overwrite cron-executed script |
+| `cron_calling_user_wildcard` | backup script running as roots can be exploited using wildcards |
 
 ## howto apply the vulnerable VM configuration?
 
diff --git a/hosts.ini b/hosts.ini
@@ -19,4 +19,10 @@
 192.168.122.133
 
 [root_allows_lowpriv_to_ssh]
+192.168.122.133
+
+[cron_calling_user_file]
+192.168.122.133
+
+[cron_calling_user_wildcard]
 192.168.122.133
diff --git a/tasks.yaml b/tasks.yaml
@@ -118,3 +118,32 @@
         user: root
         state: present
         key: "{{ ssh_key['content'] | b64decode }}"
+
+# new ones
+
+# todo: need to test again, maybe I need to restart cron after this
+# $ echo "" > "--checkpoint-action=exec=sh exploit.sh"
+# $ echo "" > --checkpoint=1
+- name: cron creating a backup of a user directory
+  hosts: cron_calling_user_wildcard
+  gather_facts: true
+  remote_user: root
+  tasks:
+    - name: Create a backup directory in the user home directory
+      ansible.builtin.file:
+        path: /home/lowpriv/backup
+        state: directory
+        mode: '0755'
+        owner: 'lowpriv'
+        group: 'lowpriv'
+    - name: create a target backup directory
+      ansible.builtin.file:
+        path: /var/spool/backups
+        state: directory
+        mode: '0755'
+        owner: 'root'
+        group: 'root'
+    - name: "create the cron tab"
+      ansible.builtin.cron:
+        name: "become root"
+        job: "cd /home/lowpriv/backup && tar -zcf /var/spool/backups/lowpriv.tar.gz *"
