Abusing Cron Jobs

The cron time-based job scheduler is a prime target for insecure file permissions running at an elevated level.

Finding Installed Cron Jobs

Information on how to find installed cron jobs is covered in :

Enumerating Linux

We can also inspect the cron logfile (var/log/cron.log) for running cron jobs:

joe@debian-privesc:~$ grep "CRON" /var/log/syslog
...
Aug 25 04:56:07 debian-privesc cron[463]: (CRON) INFO (pidfile fd = 3)
Aug 25 04:56:07 debian-privesc cron[463]: (CRON) INFO (Running @reboot jobs)
Aug 25 04:57:01 debian-privesc CRON[918]:  (root) CMD (/bin/bash /home/joe/.scripts/user_backups.sh)
Aug 25 04:58:01 debian-privesc CRON[1043]: (root) CMD (/bin/bash /home/joe/.scripts/user_backups.sh)
Aug 25 04:59:01 debian-privesc CRON[1223]: (root) CMD (/bin/bash /home/joe/.scripts/user_backups.sh)

Inspect The Binary

joe@debian-privesc:~$ cat /home/joe/.scripts/user_backups.sh
#!/bin/bash

cp -rf /home/joe/ /var/backups/joe/

joe@debian-privesc:~$ ls -lah /home/joe/.scripts/user_backups.sh
-rwxrwxrw- 1 root root 49 Aug 25 05:12 /home/joe/.scripts/user_backups.sh

In this example, we have write permissions over the binary and can modify the code directly. We can replace the binary with a reverse shell one-liner to receive a root-level shell on our attack machine.

PreviousExposed Confidential InformationNextAbusing Password Authentication

Last updated