Enumerate Cron Jobs
Watch for Cron Execution (pspy)
Writable Cron Scripts
If a cron job runs a script as root and you can write to it:Check Permissions
Inject Reverse Shell
Inject SUID bash
PATH Hijacking
If/etc/crontab has a writable directory in PATH before system dirs:
backup.sh without full path and /home/user is writable:
Wildcard Injection
tar Wildcard
If cron runs:* expands filenames as arguments. Create files that become tar flags:
rsync Wildcard
If cron runs:chown Wildcard
If cron runs:Writable Cron Directory
If/etc/cron.d/ is writable:
Systemd Timers
Overwrite /etc/crontab
If/etc/crontab is writable: