search

Cron Job Abuse

Each entry in the crontab file requires six items in the following order: minutes, hours, days, months, weeks, commands. For example, the entry 0 */12 * * * /home/admin/backup.sh would run every 12 hours

hashtag
Enumeration

cat /etc/crontab
crontab -l # user cronjobs
sudo crontab -l # root cronjobs

hashtag
Writeable files or directories

  1. /etc/crontab

  2. /etc/cron.d

  3. /var/spool/cron/crontabs/root

If we can write to a directory called by a cron job, we can write a bash script with a reverse shell command, which should send us a reverse shell when executed.

hashtag
Writable files

find / -path /proc -prune -o -type f -perm -o+w 2>/dev/null

/etc/cron.daily/backup
/dmz-backups/backup.sh
/proc
/sys/fs/cgroup/memory/init.scope/cgroup.event_control

<SNIP>
/home/backupsvc/backup.sh

<SNIP>

Files created every three minutes + backup.sh shell script is world writeable and runs as root.

Confirm that a cron job is running using pspyarrow-up-right

circle-info

If editing a script, make sure to ALWAYS take a copy of the script and/or create a backup of it. We should also attempt to append our commands to the end of the script to still run properly before executing our reverse shell command.

Modify the script to add a Bash one-liner reverse shellarrow-up-right

PreviousVulnerable ServicesNextKubernetes

Last updated