My goal is to learn more about Linux Privilege Escalation.
Currently I’m trying to exploit a simple cron vulnerability. The cron (run by the target user) executes whatever .sh file in a certain directory and the directory is writable for my current user. Therefore I can create a .sh script in that directory which in essence creates another .sh script owned by the target user, chmod’s 4777 that script, and eventually spawns a shell (with the priviliges of the target user).
The code of the exploit .sh script inside the writable directory which is later run by the target user:
#!/bin/bash touch /tmp/getShell.sh #probably unnecessary cat exploitTemplate.sh > /tmp/getShell.sh chmod 4777 /tmp/getShell.sh
The exploitTemplate.sh script has the following content (I have tried many variations, non work):
#!/bin/bash /bin/bash -i
Everything works, the getShell.sh file gets created with 4777 priv. The problem is that I’m still the “old” user after running getShell.sh. In my understanding of the SUID bit, in this case, running the script as any user results in a shell with the privileges of the file owner, which is the target user.
I found a way to get a shell by using gcc and the usage of setresuid of the target user, but I would like to understand why the approach above does not work.
Thanks in advance.