Cronjobs

View system-wide cron jobs

/etc/crontab

$ cat /etc/crontab
...
* * * * *  root /antivirus.sh
* * * * *  root /home/karen/backup.sh
...

Common mis-configurations to exploit

Assuming the cronjobs are executed as root

Cron-script deleted, but the job is still running in the crontab file
Writable file

$ cat /etc/crontab
...
* * * * * root /home/user/run.sh
...

# 1)
$ locate run.sh # no results
$ find / -name run.sh 2>/dev/null # no results

# create run.sh in the /home/user directory
$ cd /home/user/run.sh 
$ nano run.sh
...

$ cat run.sh
#!/bin/bash
... start reverse shell, etc.

# 2)
# user home directory - writable by the current user
$ ls -l /home/user/run.sh
-rw-r--r-- 1 user user xx xxx xx xxxx /home/user/run.sh

$ cd /home/user
$ nano /home/user/run.sh
... append in malicious script

PreviousCapabilities Next$PATH

Last updated 9 days ago