top of page
cronic_logo

cronic - Discovers and Exploits Insecure Cron Jobs

cronic is a post-exploitation tool that automates the discovery and exploitation of insecure cron jobs on Unix-like systems. It is especially useful in Capture The Flag (CTF) events, red team engagements, and privilege escalation audits. Cronic helps identify and leverage cron job misconfigurations to escalate privileges or gain root access.

DOWNLOAD cronic.bin

 

Key Features

Automated Cron Enumeration:

Scans all common locations for scheduled cron jobs.

Vulnerability Detection:

Identifies writable scripts, unquoted paths, and jobs using insecure directories (e.g., /tmp).

Exploit Suggestions:

Recommends the best exploit strategy based on real-world weaknesses.

Multiple Payload Options:

Supports reverse shell, persistence, root markers, and custom commands.

Interactive CLI:

Guides the attacker through each exploitation step.

Standalone Binary:

Built with PyInstaller for portability – no Python required at runtime.

How Does It Work?

Cronic operates by automating a series of common post-exploitation checks and privilege escalation tactics that target misconfigured or insecure cron jobs. Here's a breakdown of its workflow:

Cron Job Enumeration

Cronic scans all known cron job sources, including:

/etc/crontab

/var/spool/cron/crontabs/ (per-user cron entries)

User-defined crontabs (via crontab -l)

It parses these jobs to extract the schedule, command, user, and environment context.

Job Analysis

Each job is analyzed for common privilege escalation vulnerabilities:

Unquoted paths: Commands or scripts with spaces that aren't properly quoted.

Writable paths: Scripts or binaries that are writable by the current user.

Suspicious locations: Jobs running from insecure locations like /tmp/ or world-writable directories.

This analysis results in a list of potentially exploitable conditions.

Exploit Recommendation

Based on the findings, Cronic suggests the most appropriate payload. For example:

Writable root-level cron script → Reverse shell

Unquoted space in a command → Root marker

Persistent backdoor path → Cron persistence

The attacker is then shown all available payload options and can override the default.

 

Writable Target Detection

Cronic filters out cron job entries that reference scripts or binaries not writable by the current user. It ensures:

The target file exists.

The file is writable.

The script is actively scheduled by cron.

Only these verified scripts are presented as viable exploit targets.

 

Payload Injection

Once a script is selected, the tool safely appends the selected payload to the end of the script. Payloads are injected in raw shell format (no wrapping .sh headers), and no duplicate injections occur unless the script is overwritten repeatedly.

 

Execution via Cron

Because the script is already scheduled to run by cron, no further action is needed. The injected payload will execute according to the cron schedule — often within 1–2 minutes.

Why Use It?

Speed: Instantly identify cron-based privilege escalation vectors.

Simplicity: No need to manually inspect cron files or permissions.

Reliability: Only targets active, writable scripts with actual cron triggers.

Flexibility: Includes payload options for various scenarios, or allows full custom commands.

Stealth: Designed for clean and minimal interaction with system logs and files.

Usage

Quick Start


Download the script:

DOWNLOAD cronic.bin

(Or upload it from your own source.)


Make it executable:

chmod +x cronic.bin


Run the script:

./cronic.bin

 

The tool will guide you through:

  • Cron job enumeration

  • Vulnerability analysis

  • Writable script detection

  • Exploit recommendation

  • Payload selection

  • Payload injection

Options and Tips

 

Payloads Available

reverse_shell.sh - Sends a bash shell back to the attacker (requires open listener)

root_marker.sh - Creates files in /tmp to prove code execution as root

cron_persist.sh - Adds a reverse shell to the crontab for persistent access

manual_payload - Lets you enter your own shell command to inject

  • Use reverse_shell.sh for quick root shells (ensure your listener is running).

  • Use root_marker.sh to prove code execution in CTF scenarios.

  • Use manual_payload for inserting reconnaissance or custom commands.

  • For best results, use cron jobs scheduled every minute: * * * * *.

Note

  • No dependencies required.

  • Permissions: If no writable cron targets are found, privilege escalation via Cronic won't be possible.

  • Safe Injection: Cronic only injects into scripts that are both writable and tied to real, running cron jobs.

  • For educational & security auditing use only.
    Always have authorisation before running enumeration tools on production systems.

old
old
bottom of page