Privilege Escalation · intermediate · ~11 min
Exploit (in labs) writable cron scripts and relative-path/PATH weaknesses.
Root cron jobs that run writable scripts, call binaries by relative name (PATH), or use wildcards in writable dirs are escalation routes; so is any privileged program invoking commands without absolute paths. Fixes: root-owned non-writable scripts, absolute paths, clean PATH, no untrusted wildcards.
Writable cron scripts and PATH/relative-path abuse are common, reliable Linux escalations that need no exploit — just a misconfigured schedule or sloppy path handling. The fixes are simple hygiene that's frequently missing.
Cron as root. Writable script → root code execution on schedule. Relative-path/PATH. Influence which binary a privileged process runs. Wildcard injection. tar/chown * in writable dirs. Fix. Non-writable root-owned scripts, absolute paths, clean PATH, no untrusted wildcards.
Scheduled tasks and loose path handling are two more high-frequency Linux routes.
cron runs scheduled commands, often as root. Check /etc/crontab, /etc/cron.*, and user crontabs. Escalation arises when a root cron job:
tar * in a writable directory → "wildcard injection" (filenames become options).If a privileged script or SUID program calls a command without an absolute path (system("service ...") rather than /usr/sbin/service), it searches PATH. If you can influence PATH (or write to a directory that's early in it), your malicious service runs with the program's privileges. This is the Linux cousin of the Computer-Fundamentals PATH lesson, weaponised.
PATH.Cron and PATH abuse escalate by getting root-run code to execute attacker-controlled scripts or binaries; the defenses are non-writable root-owned jobs, absolute paths, sanitized PATH, and avoiding wildcards over untrusted directories.