# Cron Jobs Cron jobs run with the security level of the user who owns them. By default, cron jobs are run using the /bin/sh shell, with limited environment variables. Cron table files (crontabs) store the configuration for cron jobs. User crontabs are usually located in /var/spool/cron/ or /var/spool/cron/crontabs/ The system-wide crontab is located at /etc/crontab. ### PATH Environment Variable The crontab PATH environment variable is by default set to /usr/bin:/bin The PATH variable can be overwritten in the crontab file. If a cron job program/script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the cron job. In the below example, the path variable shows that the /home/user directory is search before any other, and the overwrite.sh script is defined without an absolute path. This means we can create an overwrite.sh file in the /home/user directory and the cronjob should execute that file before the original. ![[Pasted image 20220806001552.png]] We will have it create an suid version bash executable in the /tmp directory. ```bash #! /bin/bash cp /bin/bash /tmp/rootbash chmod +s /tmp/rootbash ``` Make sure the newly created overwrite.sh file is executable. Wait for the cronjob to execute. ```bash $ watch -n 1 ls -l /tmp ``` The above will run the ls -l command on the /tmp directory every 1 second. When the cronjob runs and creates the new bash executable, run the following: ```bash $ /tmp/rootbash -p ```