Cron Jobs

Linux - Privilege Escalation - Internal All The Things

Read the cron jobs then read permissions on any scripts running

cat /etc/crontab

In CTF situations, if there are any custom scripts as cron jobs they're most likely there for a reason, especially ones running as root.

Systemd timers could aslo be running which essentially do the same thing

systemctl list-timers --all

Cron Paths

If the path of the script isn't a the full file path it will check the first path in the PATH variable for it first

Cron Wildcards

If we only have read permissions on a script but it is using a wildcard with another command, we can make that command run something malicious instead

With tar specifically we can make it run a script using touch and checkpoints

touch /home/user/--checkpoint=1
touch /home/user/--checkpoint-action=exec=sh\ rev.sh

Cron File Overwrites

Check the file permissions on the scheduled script and add a reverse shell to it

PreviousCapabilities NextCMeSS

Last updated 1 year ago

Was this helpful?