Skip to content

Cron priv esc#367

Open
girlier wants to merge 22 commits into
cliffe:masterfrom
girlier:cron_priv_esc
Open

Cron priv esc#367
girlier wants to merge 22 commits into
cliffe:masterfrom
girlier:cron_priv_esc

Conversation

@girlier
Copy link
Copy Markdown

@girlier girlier commented May 27, 2026

2 Cron based access control misconfiguration

1. Cron Writeable

Creates a globally writeable script that runs as a specified user (default: root) that can be used to escalate privilege

2. Cron Tar Wildcard

Creates a writeable folder and a cron job to run a tar compression with wildcard. A user can create fake checkpoints to run commands on the specified user (default: root)

Scenario

These modules contain a example ctf called root cron-trol that involves horizontal and vertical escalations to gain root through both exploits.

Both modules can be configured to specify file location and user that can be accessed from the exploit.

There is also a random_file_path module which selects a random path (common config file locations) (!For highest reliability specify a path)

girlier and others added 22 commits March 30, 2026 15:10
@girlier
Add cron-based privilege escalation modules and CTF scenario
2fcbbbb 
Two new vulnerability modules under access_control_misconfigurations:
- cron_tar_wildcard: tar wildcard injection via root cron job
- cron_writable_script: world-writable cron script executed as root

Both adapted from benchmark-privesc-linux scenarios cliffe#11 and cliffe#12.
Includes CTF scenario (cron_privesc.xml) chaining RCE with cron priv-esc
on Debian 12, with 1 shared flag in /root/.
@girlier
Fix invalid difficulty value in cron_writable_script metadata
fb1c9c3 
Changed <difficulty>easy</difficulty> to <difficulty>low</difficulty> to
conform with vulnerability_metadata_schema.xsd which only allows
low, medium, or high as valid enumeration values.
@girlier
Fix cron_privesc scenario: change server base type from server to des…
2594cf9 
…ktop

No Debian 12 server base module exists. Changed to type desktop with
KDE to match the available debian_bookworm_desktop_kde base module.
@girlier
Change Hint to involve sudo -l
bb7b33d
@girlier
Add random_file_path generator for configurable cron locations
945a814 
- New generator selects from 15 system paths, optionally includes user-specific paths when username provided
- Both cron escalation modules now use random_file_path for configurable deployment locations
- cron_writable_script uses random_evil_plans for dynamic script content
- Path validation, permission checks, and detailed logging for debugging/auditing
@girlier
Add optional cron_user parameter for horizontal privilege escalation
3c03dc8 
- New cron_user parameter defaults to root but can be set to any user
- Enables horizontal privilege escalation scenarios (user-to-user escalation)
- Leak storage directory dynamically adjusts based on cron_user
- Updated description to reflect configurable escalation type
@girlier
Add permission control to cron_tar_wildcard module
f1ea5fa 
- Default: world-writable (0777) for backup/archive directories
- Optional restrict_write_user parameter limits write access to specific user
- User validation via exec ensures user exists before applying restrictions
- cron_user parameter allows non-root cron execution
- Clear permission hierarchy logging via notice statements
- Leak storage directory adjusts based on cron_user
@girlier
Restrict crontab viewing when restrict_write_user is set
fa02321 
- When restrict_write_user is specified, only that user can sudo crontab -l
- Default behavior (no restriction): all users can view crontab via sudo
- Added notice statements for permission hierarchy clarity
- Updated description to document crontab restriction behavior
@girlier
Implement two-stage privilege escalation scenario: Root Cron-trol
fda8450 
- Stage 1: SSH access as lowpriv user, horizontal escalation via writable cron script (lowpriv -> backup user)
- Stage 2: Vertical escalation to root via tar wildcard injection in root cron job
- Uses random_file_path generator for randomized file locations
- cron_writable_script configured with cron_user=backup for horizontal escalation
- cron_tar_wildcard configured with restrict_write_user=backup for targeted exploitation
- Two distinct flags: horizontal_flag (user escalation), root_flag (root escalation)
- Renamed from cron_privesc.xml to root_cron-trol.xml
@girlier
Make target_user random in Root Cron-trol scenario
a70879e 
- Changed target_user from hardcoded 'backup' to username_generator
- Both lowpriv_user and target_user are now randomly generated
- Increases realism and prevents predictable username exploitation
@girlier
Format root_cron-trol scenario to match project standards
135d926 
- Added empty line after XML declaration (standard format)
- Added comments for IP addresses indicating which system they belong to
- Split CyBOK entries into logical sections with comments
- Added comments for vulnerability sections (SSH, horizontal, vertical)
- Removed redundant 'cron' keyword from CyBOK
@girlier
Fix base64 decode crash: Logger outputs to stderr not stdout
410d259 
- Changed Logger.new() to Logger.new()
- SecGen captures stdout expecting only base64-encoded output
- Logger messages interleaved with output caused strict_decode64 failures
- stderr now receives logging/debug info, stdout only has base64 output
@girlier
Fix Puppet array interpolation: extract [0] from secgen_parameters
08375a3 
- SecGen generators output arrays, not single values
- Without [0], Puppet interpolates array as '[value]' string
- Added [0] extraction for cron_location, cron_user, cron_message, restrict_write_user
- Matches pattern used in all other SecGen modules
- Fixes 'File paths must be fully qualified' error with malformed paths like '[/home/user/.config]/cron.sh'
@girlier
Fix sudo class declaration: move outside conditional block
2202f44 
- sudo::conf define requires ::config_dir from sudo class
- Declaring sudo class inside conditional caused dependency resolution failure
- Moved 'class { sudo: ... }' to top level, matching sudo_root_less pattern
- sudo::conf resources remain conditional (only created when show_crontab_hint is true)
@girlier
Comprehensive audit fixes: critical and high severity issues
d0d681d 
CRITICAL FIXES:
- Added cron_user validation in cron_writable_script (exec check before file creation)
- Shared cron_location datastore prevents inconsistent random selections between modules

HIGH FIXES:
- Single generator for cron_location used by both vulnerabilities in scenario
- Added require dependency for user validation exec

LOW FIXES:
- Removed unused 'fileutils' require in random_file_path generator

AUDIT FINDINGS DOCUMENTED:
- Race condition with cron * minute (accept as design for rapid testing)
- sudo always declared (acceptable as sudo typically needed)
- Logger INFO level (acceptable for debugging)
@girlier
Fix sudo puppet module dependency in cron_tar_wildcard
2fcfc38 
- Added utilities/unix/puppet_module/sudo to <requires>
- sudo::conf requires sudo class which needs sudo puppet module loaded
- Matches pattern used in all other sudo-using vulnerability modules
- This was the root cause of the Vagrant provisioning error
@girlier
CRITICAL FIX: Separate requires blocks for each puppet module dependency
5db6a09 
- Multiple <module_path> in ONE <requires> block only selects ONE module
- Each dependency must have its OWN <requires> block
- SecGen's select_modules() selects first matching module from search_list
- This was why sudo puppet module wasn't being loaded despite being listed

Root cause: module_reader.rb parses all module_paths in one requires block
into a single hash, and select_modules only returns ONE module match
@girlier
Fix: Create cron_location directory before placing files
9eff587 
- random_file_path can select nested paths like /home/user/.config/local
- These directories don't exist by default, causing Puppet file creation to fail
- Added file resource to ensure cron_location directory exists first
- Added require dependencies to cascade: cron_location -> backup_dir -> cron job

Error was: 'No such file or directory - A directory component in
/home/user/.config/local/cron.sh.lock does not exist'
@girlier
Simplify scenario: single machine, no SSH, no Kali
8c07f84 
- Removed attack_vm (Kali) system for faster build
- Removed SSH vulnerability requirement
- Single Debian server with local access
- Fixed lowpriv credentials: lowpriv/password (discoverable)
- Random target_user for horizontal escalation
- Players log in directly to Debian desktop as lowpriv
- Two-stage escalation remains: lowpriv → target_user → root
- Fixed IP: 192.168.56.10 for easier testing
@girlier
Change lowpriv to random username with fixed password
aa4d635 
- lowpriv_user: now uses username_generator (random)
- lowpriv_pass: fixed as tiaspbiqe2r (shown in hints)
- Players see available usernames on KDE login screen
- Added hints for password and exploitation techniques
@girlier
Update scenario: separate cron locations, KDE autologin, DHCP network
19d020c 
- Split cron_location into horizontal_cron_location and vertical_cron_location
- Add kde_minimal utility with autologin for lowpriv_user
- Change network to DHCP (no fixed IP)
- Use strong_password for target_pass (harder to crack)
- Remove explicit hints (password in description only)
- Add securerandom require to generator
- Use Random.new for explicit randomness control
@girlier
Merge branch 'cliffe:master' into cron_priv_esc
484a623
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@girlier