TryHackMe: Advent of Cyber [Day 20] Cronjob Privilege Escalation

Room: Advent of Cyber

Difficulty: Beginner

“You think the evil Christmas monster is acting on Elf Sam’s account!

Hack into her account and escalate your privileges on this Linux machine.”

For this challenge you will have to deploy the VM from the question and then use either OpenVPN or the THM virtual Kali Machine (if you are a subscriber) to connect to it. If you need instructions for how to do that, click HERE.

Question #1 What port is SSH running on?

The first thing I am going to do here is use nmap to scan for open ports. SSH is traditionally on Port 22, but since they are asking this question, I am assuming it’s on some weird random port.

I’m going to use a basic scan first, then we can get more in-depth if needed.

nmap -sV -O <target ip>

Looks like that’s all that was needed. The port is shown here.

Question #2 Crack sam’s password and read flag1.txt

So we need to get into SSH using Sam’s credentials. We used Hydra for this a couple days ago (HERE), so this should just be a refresher. The difference is we will need to specify the port number this time, otherwise it will try 22 by default.

hydra -l sam -P <path to rock you> <target ip> -s <port number> -t 4 ssh

Nice, we cracked her password: chocolate.

Use that to log in:

ssh -p <port number> sam@<target ip>

From here you can easily find the file we need:

Question #2 Escalate your privileges by taking advantage of a cronjob running every minute. What is flag2?

I located flag2.txt by using the find command:

find / -name “*flag2*” 2>/dev/null

But big shock, we don’t have the permissions needed to open it, only ubuntu does.

If you don’t know what a cron job is, it’s just a command or script you can set up on Linux to run at a specific time. You can view any scheduled cron jobs by using:

crontab -l

There’s nothing going on for Sam right now.

After looking around on the system for a bit, we find something that looks like it could be a cron job called “clean_up.sh”, owned by ubuntu. There is also a random “test.txt” file in there for no apparent reason, owned by root.

It looks like the script is being used to periodically clear the /tmp/ directory:

rm -rf /tmp/*

The test.txt file is pretty convenient, so I moved it over to the /tmp/ directory as bait:

mv test.txt /tmp/

I will wait a little bit of time to see if it gets deleted. We know by the question instructions that the cron job we want to target runs every minute.

Looks like it worked!

We can use this to our advantage to change the permissions of the file we want to open. If we input the following command into the cron job script, it will execute it with the permissions of the ubuntu user.

This will circumvent the fact that Sam does not have permissions to read flag2.txt on her own.

echo “chmod 777 /home/ubuntu/flag2.txt” >> clean_ip.sh

Be CAREFUL to use two >> signs. If you only use one, you will overwrite the file.

Wait a minute for the cron job to run, and then try to read the file.

Happy Hacking! ❤

CTF Writeups to facilitate cyber education.