Tags: linux

Rating:

# Crond Writeup (Linux challenge)

## __Author:__ bytevsbyte @ beerpwn team

The challenge provides ssh access as __ctf__ user.\
At the first glance, it seems there are no interesting files on the machine.
In /home/ctf/ as in other path there is no trace of flag.\
The name of the challenge refers to cron so I search for all possible cron file
and check my cron with _crontab_, but this command doesn't exist.\
With find, and _"\*cron\*"_ as search string, I get the __/usr/bin/fakecronsh__ file,
interesting!\
Before examining the file, I want to enumerate a little more.\
In case of repetitive tasks, looking at what processes are spawned in a time range
can reveal a lot of things.\
I could run __ps__ so I can look for something useful.. and ps was not found :'(\
Ok, I can see processes the same way with ls -al /proc/:

![Image of ps](./files/ps_ax.png)

There are some processes owned by root. In the figure the process with pid 21975
dead and spawn with new PID continuously. But the 7 and 8 are always alive.
With cat /proc/7/cmdline can be retrieved the original command:

![Image of fakecron](./files/fake_cronsh_crop.png)

The same fakecron that I found with _find_ command.
This is the right way!\
Look at the script to figure out what it does.

[Script](./fakecron.sh)

So, there's a /etc/deadline file and the values _target\_second_, _target\_minute_..
are loaded each loop iteration from this. Note that I have write permission on this file.\
The _second_, _minute_, _hour_.. are initialized with hardcoded integers in the script
and are incremented at each iteration.\
The flag part here resides in the _if_ statement.
There's a commented line with _echo_ of possible flag into /home/ctf/flag.txt.\
Below this there is the __exec_flag__ command, that I hope it does the same thing.

![Image if script](./files/ifcondition.png)

All variables must be equal to their relative _target\_xxx_ to satisfy the condition.
I need those numbers!!!\
Fortunatelly they are written in the /etc/faketimerc with different format.\
Ok.. I can read the current (one second before) values from __faketimerc__ and put them,
in the correct format, into the __deadline__ file.\
At the end I could check if there is a flag file in the home dir.
Note the second value that is +1:

(bash)
while [ 1 -eq 1 ]; do
faket=cut -d ' ' -f2 /etc/faketimerc
h=echo $faket | cut -d ':' -f1; m=echo$faket | cut -d ':' -f2;
s=echo $faket | cut -d ':' -f3; echo "FAKETIME:$faket";
echo "2019 1 1 $h$m $((s+1))" | tee /etc/deadline cat /etc/faketimerc; ls -al /home/ctf done  Perfect, all done, all ready!\ Launch it and ... It doesn't work. No flag.txt was created. Good!\ I tried to find the mistake paying more attention to the if in _fakecron_: ![Image if script edit](./files/ifcondition_edit.png) Ohhh, son of a ... hour and seconds in fakecron are inverted!\ This is the one line version of my previous script __fixed__: (sh) while [ 1 -eq 1 ]; do faket=cut -d ' ' -f2 /etc/faketimerc; h=echo$faket | cut -d ':' -f1; m=echo $faket | cut -d ':' -f2; s=echo$faket | cut -d ':' -f3; echo "FAKETIME: $faket"; echo "2019 1 1$((s+1)) $m$h" | tee /etc/deadline; cat /etc/faketimerc; ls -al /home/ctf; done


And finally I have the flag!

![Image if script edit](./files/output_flag.png)

Original writeup (https://github.com/beerpwn/ctf/tree/master/2019/WPICTF_ctf/crond_linux).