Understanding Linux Cron Jobs
Understanding the tole of Linux cron jobs and how they can help you during penetration tests.
If you are coming from a Windows background, cron jobs are the same as scheduled tasks. It is a utility for POSIX OS to configure and execute scheduled tasks on behalf of the user.
Yes, but what is this post doing in a security forum?
Many companies use cron jobs on their internal management servers to execute scheduled maintenance or backup usually on behalf root user and if it's poorly managed, one can take control over the organisation by abusing the config file. Also, you will see some of the HackTheBox and Vulnhub machines using cronjob based solutions.
I can add the complete write of the machines that I had solved and are provided by vulnhub. I leave this to you, simply google search "vulnhub cron job" and you will see the machines and their writeups. The machine I had solved and recommend to you is Sar 1
Regarding real-world news, I have included few articles in the Resources section. Feel free to read them
So let's begin ...
Check whether the cron service running?
Cron jobs are orchestrated by the service running on the system. There are different services for this.
The syntax of the command is service <service-or-unit-name> start|status|stop|restart. Since in this case, we need to check the status of the cron unit, so the command would be,
service cron status
Yes, indeed.
How many cron jobs are scheduled for the root user?
Cron jobs configuration for the current user is managed by a command known as crontab. Using this command you can create/delete/update the cron jobs tasks specified in each line of the normal text file configuration.
To list the cron jobs declared by the current user, runcrontab -l .
So there are 5 jobs. How? I guess it's time that I should explain the crontab file syntax.
# in the configuration file is used to put a comment line anywhere in the file. So what does this mean? Comments are for the developers or users. The cron job service will simply ignore this line and move onto the next line.
You can define the variables as you do in shell scripts VAR_NAME=VALUE. In this case, it's MAILTO="[email protected]"
Each line starting with * or some number is considered as a cron job or task. It is the magic line that cron service will execute. The format you are seeing in the last comment line of the image is how you define a cron config. The last component to it is the command that must be executed. You can execute a bash command or any file in the environment variable or the exact path of the executable file.
I know this scheduling time is difficult to understand. Even after using cron jobs for ~ 6 years, I couldn't figure it out. So you can a web utility, called CronTab Guru. I must say it's an amazing application.
Which binary is supposed to run 10 minutes after midnight, every day?
From the crontab guru, I found that the second job executed 10 mins after midnight every day
Which binary is supposed to run at 2:10 PM on the first of every month?
2 PM would be 14 hours in 24 hours format and crontab supports 24 hours format. So, in this case, it would be the first job
Which binary is supposed to run 10 minutes after midnight, 2 AM, 4 AM …, every day?
As you can see in this case it's about the steps and step difference is of 2. In cron job, you can define steps using / directive. So in this case it would be the 4th job
Which binary is supposed to run at 8 PM on weekdays?
8 PM in 24-hour format would be 20, and weekdays are from Monday (1) to Friday (5). So in this case, it would be the last job
Which binary is supposed to run at 10 after 4 every Saturday?
So, the cron file is so convenient that instead of numbers you can provide the day names and it will execute the command on that particular day or days. So in this case, it would be 3rd job
On which email address the output of the schedules command/script will be sent?
The crontab file has a special variable MAILTO to send the reports or logs of cron jobs on the email. You can define it in the very first line of the crontab file. You can read more about it on the serverfault forum.
Cron job for which binary will not trigger an email?
If your command doesn't produce any output on stderr or stdout, it won't be sent via mail. In fact, this is a feature in crontab to disable the emailing for a particular command on crontab, read more about it here. So, in this case, it would be the second job
Avoid being compromised from misconfigured cronjobs
TBH, it's mathematically proved that no system is secure and an attacker will eventually penetrate through all the security mechanism. But you can perform server hardening to make it difficult for the bad users to compromise the target.
One more thing, NEVER EXECUTE COMMANDS WITH sudo or root user and avoid using SUID binaries in the job. If you are a decent bash developer, you can create the bash script to add some pre-checks before executing the commands via scripts and prevent them from being compromised.
Conclusion
Cronjobs are the time-based scheduling utility to execute commands. crontab is used to manage the tasks. Each command to be executed is written per line. It is one of the poorly managed services that can lead to system takeover or making your reverse connection persistent by making polling request after every period.
Resources Links
- https://crontab.guru/
- https://serverfault.com/questions/691033/how-to-send-an-e-mail-after-a-cron-job#691047
- https://www.cyberciti.biz/faq/disable-the-mail-alert-by-crontab-command/
- http://www.dba-oracle.com/t_linux_crontab_format.htm
- https://www.fireeye.com/blog/products-and-services/2020/01/rough-patch-promise-it-will-be-200-ok.html
- https://www.cvedetails.com/cve/CVE-2018-0427/
