Cron Job and Scheduled Task Exploitation

1 min read Security Careers & Certifications

Cron Job and Scheduled Task Exploitation

Cron jobs running as privileged users provide escalation opportunities through writable scripts or PATH manipulation. Enumerate system-wide crontabs (/etc/crontab, /etc/cron.d/), user crontabs (/var/spool/cron/), and systemd timers. Running processes and file timestamps indicate active scheduled tasks even without direct crontab access. Patient observation reveals execution patterns.

Writable cron scripts offer direct privilege escalation through modification. If privileged cron jobs execute scripts with weak permissions, inject reverse shells or privileged commands. Ensure modifications maintain script functionality to avoid detection. Simple additions at script beginnings execute payloads while preserving original behavior.

PATH environment variable manipulation in cron contexts enables command substitution similar to SUID exploitation. Cron jobs with custom PATH variables searching writable directories first allow placing malicious executables. Create programs matching expected commands but containing privilege escalation payloads. This technique succeeds when administrators use relative paths in cron scripts.

Wildcard exploitation in cron commands provides subtle escalation vectors. Commands using wildcards (*) for file operations might accept specially crafted filenames as parameters. Tar, rsync, and similar commands processing user-controlled filenames enable arbitrary parameter injection. Research specific command behaviors to craft filenames achieving code execution.