Skip to content

12th_Dec_25_privilege_escalation.txt

File: htb/daily_notes/12th_Dec_25_privilege_escalation.txt

/etc/crontab
/etc/cron.d
/var/spool/cron/crontabs/root
If we can write to a directory called by a cron job, we can write a bash script with a reverse shell command, which should send us a reverse shell when executed.


vim id_rsa
chmod 600 id_rsa
ssh root@10.10.10.10 -i id_rsa

root@10.10.10.10#

Note that we used the command 'chmod 600 id_rsa' on the key after we created it on our machine to change the file's permissions to be more restrictive. If ssh keys have lax permissions, i.e., maybe read by other people, the ssh server would prevent them from working.