Cron Job Abuse

Each entry in the crontab file requires six items in the following order: minutes, hours, days, months, weeks, commands. For example, the entry 0 */12 * * * /home/admin/backup.sh would run every 12 hours

Enumeration

cat /etc/crontab
crontab -l # user cronjobs
sudo crontab -l # root cronjobs

Writeable files or directories

  1. /etc/crontab

  2. /etc/cron.d

  3. /var/spool/cron/crontabs/root

If we can write to a directory called by a cron job, we can write a bash script with a reverse shell command, which should send us a reverse shell when executed.

Writable files

find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

/etc/cron.daily/backup
/dmz-backups/backup.sh
/proc
/sys/fs/cgroup/memory/init.scope/cgroup.event_control

<SNIP>
/home/backupsvc/backup.sh

<SNIP>

Files created every three minutes + backup.sh shell script is world writeable and runs as root.

Confirm that a cron job is running using pspy

If editing a script, make sure to ALWAYS take a copy of the script and/or create a backup of it. We should also attempt to append our commands to the end of the script to still run properly before executing our reverse shell command.

Modify the script to add a Bash one-liner reverse shell

PreviousVulnerable ServicesNextKubernetes

Last updated