Cron Job Enumeration

beginner20 minWriteup

Finding and analyzing cron jobs

Learning Objectives

  • Find system cron jobs
  • Find user cron jobs
  • Analyze cron configurations
  • Identify exploitable cron

Cron jobs are scheduled tasks that run automatically at specified times. When a cron job runs as root but has writable scripts or uses unsafe practices, it becomes a privilege escalation vector that executes on schedule.

Think of cron jobs as robots that wake up at set times and do tasks. If a root robot is running a script you can modify, you've just scheduled yourself a root shell. The tricky part is finding these jobs - some are hidden from regular enumeration.

Timing Matters

Unlike SUID or sudo exploits that work immediately, cron exploitation requires waiting for the job to run. Check the schedule - hourly, daily, or every minute?

Cron Job Locations

bash
1606070;"># System-wide crontab
2cat /etc/crontab
3 
4606070;"># Example /etc/crontab:
5SHELL=/bin/bash
6PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
7606070;"># m h dom mon dow user  command
817 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
925 6    * * *   root    test -x /usr/sbin/anacron || ...
1047 6    * * 7   root    test -x /usr/sbin/anacron || ...
1152 6    1 * *   root    test -x /usr/sbin/anacron || ...
12*/5 *   * * *   root    /opt/scripts/backup.sh
13 
14606070;"># Cron directories (run automatically)
15ls -la /etc/cron.d/
16ls -la /etc/cron.hourly/
17ls -la /etc/cron.daily/
18ls -la /etc/cron.weekly/
19ls -la /etc/cron.monthly/
20 
21606070;"># User crontabs
22crontab -l                    606070;"># Current user's crontab
23cat /var/spool/cron/crontabs/* 2>/dev/null  606070;"># All user crontabs
24cat /var/spool/cron/*          606070;"># Alternative location

Crontab Syntax

1606070;"># Crontab format:
2606070;"># ┌───────────── minute (0 - 59)
3606070;"># │ ┌───────────── hour (0 - 23)
4606070;"># │ │ ┌───────────── day of month (1 - 31)
5606070;"># │ │ │ ┌───────────── month (1 - 12)
6606070;"># │ │ │ │ ┌───────────── day of week (0 - 6) (Sunday=0)
7606070;"># │ │ │ │ │
8606070;"># * * * * * command
9 
10606070;"># Examples:
11* * * * *     606070;"># Every minute
12*/5 * * * *   606070;"># Every 5 minutes
130 * * * *     606070;"># Every hour (at minute 0)
140 0 * * *     606070;"># Every day at midnight
150 0 * * 0     606070;"># Every Sunday at midnight
16@reboot       606070;"># On system boot
17@hourly       606070;"># Every hour
18@daily        606070;"># Every day

Finding Cron Jobs

Direct Enumeration

bash
1606070;"># All standard locations
2cat /etc/crontab
3cat /etc/cron.d/*
4ls -la /etc/cron.daily/
5ls -la /etc/cron.hourly/
6 
7606070;"># Check crontab files for all users
8for user in $(cut -d: -f1 /etc/passwd); do
9  crontab -u $user -l 2>/dev/null
10done
11 
12606070;"># Systemd timers (modern cron alternative)
13systemctl list-timers --all
14 
15606070;"># Check anacron
16cat /etc/anacrontab

Finding Hidden Cron Jobs with pspy

bash
1606070;"># pspy monitors processes without root
2606070;"># Download appropriate version
3wget https:606070;">//github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
4chmod +x pspy64
5./pspy64
6 
7606070;"># Watch for processes that start on schedule
8606070;"># Example output:
9606070;"># CMD: UID=0     PID=1234   | /bin/bash /opt/scripts/backup.sh
10606070;"># CMD: UID=0     PID=1235   | /usr/bin/python3 /root/check.py
11 
12606070;"># Let it run for several minutes to catch scheduled tasks
13606070;"># Look for:
14606070;"># - Scripts running as root (UID=0)
15606070;"># - Custom paths (/opt, /home, /root)
16606070;"># - Scripts you might be able to modify

pspy is Essential

Some cron jobs aren't visible in crontab files (root's crontab, hidden files, etc.). pspy reveals them by watching process creation in real-time.

Analyzing Cron Jobs

bash
1606070;"># When you find a cron job, check:
2 
3606070;"># 1. Who runs it?
4606070;"># Look at the user field in /etc/crontab
5606070;"># Or the owner of cron.d files
6 
7606070;"># 2. What script does it run?
8cat /opt/scripts/backup.sh
9 
10606070;"># 3. Can you write to the script?
11ls -la /opt/scripts/backup.sh
12606070;"># -rwxrwxrwx = writable by everyone!
13 
14606070;"># 4. Can you write to the directory?
15ls -la /opt/scripts/
16606070;"># If directory is writable, you can replace the script
17 
18606070;"># 5. What does the script do?
19606070;"># Does it:
20606070;"># - Call commands without full paths? (PATH manipulation)
21606070;"># - Use wildcards? (wildcard injection)
22606070;"># - Have hardcoded credentials?
23606070;"># - Create files in writable locations?

Checking Script Security

bash
1606070;"># Example vulnerable script:
2606070;">#!/bin/bash
3cd /var/backups
4tar czf backup.tar.gz *      606070;"># Wildcard = vulnerable!
5 
6606070;">#!/bin/bash
7/opt/scripts/helper.sh       606070;"># Full path = safer
8service mysql restart        606070;"># Relative path = vulnerable!
9 
10606070;">#!/bin/bash
11echo 606070;">#a5d6ff;">"Backup complete" > /tmp/backup.log  # World-writable location!

Common Cron Vulnerabilities

1Vulnerable Patterns to Look For:
2├── Writable script files
3│   └── ls -la script.sh → check permissions
4├── Writable script directories
5│   └── Can replace entire script
6├── PATH manipulation
7│   └── Script calls commands without full paths
8├── Wildcard injection
9│   └── Script uses * in commands (tar, rsync)
10├── Writable file references
11│   └── Script reads config from writable location
12├── Missing scripts
13│   └── Cron references script that doesn't exist
14│   └── You can create it!
15└── Weak environment
16    └── PATH or other variables in crontab are abusable

Wait for Execution

After modifying a cron-related file, you must wait for the job to run. Check the schedule - if it's daily, you might wait hours. Consider the timing during engagements.

Process Monitoring Without pspy

bash
1606070;"># If you can't upload pspy, use native tools:
2 
3606070;"># Method 1: Watch /proc
4watch -n 1 606070;">#a5d6ff;">'ps aux | grep -v "\[" | tail -20'
5 
6606070;"># Method 2: Loop through processes
7while true; do
8  ps aux | grep -v 606070;">#a5d6ff;">"\[" | diff - /tmp/oldprocs.txt 2>/dev/null
9  ps aux | grep -v 606070;">#a5d6ff;">"\[" > /tmp/oldprocs.txt
10  sleep 1
11done
12 
13606070;"># Method 3: Watch specific directory
14inotifywait -m /opt/scripts/ -e access -e modify
15 
16606070;"># Method 4: Check process start times
17ps aux --sort=start_time | tail -20
18 
19606070;"># Method 5: Audit logs (if readable)
20cat /var/log/syslog | grep CRON
21cat /var/log/cron.log 2>/dev/null

Cron Enumeration Methodology

Cron Enumeration Flow

1
Check crontabcat /etc/crontab and /etc/cron.d/*
2
Cron directoriesls /etc/cron.hourly/, daily/, etc.
3
User crontabscrontab -l and spool directories
4
Systemd timerssystemctl list-timers
5
pspyRun to find hidden scheduled tasks
6
AnalyzeCheck script permissions and content

Knowledge Check

Quick Quiz
Question 1 of 3

What does '*/5 * * * *' mean in crontab?

Challenges

Find the Hidden Cron

Challenge
🔥 intermediate

Using pspy or manual process monitoring, discover a cron job running as root that isn't visible in standard crontab locations.

Need a hint? (4 available)

Key Takeaways

  • Check /etc/crontab, /etc/cron.d/, and cron.hourly/daily/weekly/
  • User crontabs are in /var/spool/cron/crontabs/
  • pspy reveals hidden cron jobs by monitoring processes
  • Look for writable scripts and directories
  • PATH manipulation works when scripts use relative commands
  • Always check when jobs run - you may need to wait