google · mzfr · Jan 9, 2026 · Jan 21, 2026
diff --git a/cronjob-privesc/Dockerfile b/cronjob-privesc/Dockerfile
@@ -0,0 +1,30 @@
+FROM ubuntu:22.04
+
+# Install cron
+RUN apt-get update && apt-get install -y cron
+
+# Create an insecure directory for world-writable execution
+RUN mkdir -p /opt/insecure_dir && chmod 777 /opt/insecure_dir
+COPY scripts/insecure_script.sh /opt/insecure_dir/insecure_script.sh
+RUN chmod 755 /opt/insecure_dir/insecure_script.sh
+
+# Create a script with weak file permissions (world-writable)
+COPY scripts/weak_script.sh /usr/local/bin/weak_script.sh
+RUN chmod 777 /usr/local/bin/weak_script.sh
+
+# --- Injections for cronjobprivesc detector ---
+
+# 1. World-writable directory execution (root cron job)
+# Schedule insecure_script.sh to run from world-writable /opt/insecure_dir
+RUN echo "*/1 * * * * root /opt/insecure_dir/insecure_script.sh" >> /etc/crontab
+
+# 2. Relative path in cron.d (root cron job)
+COPY configs/cron.d/misconfig /etc/cron.d/misconfig
+RUN chmod 644 /etc/cron.d/misconfig
+
+# 3. Weak file permissions (world-writable script)
+# Schedule the world-writable script in /etc/crontab so it is guaranteed to be scanned
+RUN echo "*/2 * * * * root /usr/local/bin/weak_script.sh" >> /etc/crontab
+
+# Keep cron running in the foreground
+CMD cron -f
diff --git a/cronjob-privesc/README.md b/cronjob-privesc/README.md
@@ -0,0 +1,46 @@
+# Cron Job Privilege Escalation Testbed
+
+This directory contains the deployment configs for a Linux environment with misconfigured cron jobs that can lead to privilege escalation. It includes:
+*   Root cron jobs executing scripts in world-writable directories (`/opt/insecure_dir`).
+*   Relative paths in privileged cron jobs (`/etc/cron.d/misconfig`).
+*   World-writable scripts executed by root (`/usr/local/bin/weak_script.sh`).
+
+## Running the Testbed
+
+To start the vulnerable container:
+
+```bash
+docker-compose up -d --build
+```
+
+## Steps to Reproduce / Verify
+
+### 1. Verify Vulnerable Configurations Manually
+You can inspect the running container to confirm the misconfigurations exist (e.g., world-writable directories and scripts):
+
+```bash
+# Get the container ID
+CONTAINER_ID=$(docker-compose ps -q vulnerable-cron)
+
+# Check permissions of the insecure directory (should be drwxrwxrwx)
+docker exec $CONTAINER_ID ls -ld /opt/insecure_dir
+
+# Check permissions of the weak script (should be -rwxrwxrwx)
+docker exec $CONTAINER_ID ls -l /usr/local/bin/weak_script.sh
+
+# View the relative path misconfiguration
+docker exec $CONTAINER_ID cat /etc/cron.d/misconfig
+```
+
+### 2. Verify Detection with SCALIBR
+Run SCALIBR against the built image to confirm it detects the vulnerabilities:
+
+```bash
+# From the root of the osv-scalibr repository:
+./run_scalibr_on_image.sh cronjobprivesc:latest
+```
+
+The scan results (in `scalibr-result.textproto`) should contain findings matching:
+*   `execution from world-writable directory`
+*   `relative path`
+*   `is world-writable`
diff --git a/cronjob-privesc/configs/cron.d/misconfig b/cronjob-privesc/configs/cron.d/misconfig
@@ -0,0 +1,3 @@
+# cron.d/misconfig
+# This job runs as root and uses a relative path, making it vulnerable to PATH manipulation.
+*/3 * * * * root relative_script.sh
diff --git a/cronjob-privesc/docker-compose.yml b/cronjob-privesc/docker-compose.yml
@@ -0,0 +1,7 @@
+version: '3.8'
+services:
+  vulnerable-cron:
+    image: cronjobprivesc:latest
+    build:
+      context: .
+      dockerfile: Dockerfile
diff --git a/cronjob-privesc/scripts/insecure_script.sh b/cronjob-privesc/scripts/insecure_script.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "Hello from insecure_script.sh!"
diff --git a/cronjob-privesc/scripts/weak_script.sh b/cronjob-privesc/scripts/weak_script.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+echo "Hello from weak_script.sh!"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#!/bin/bash
		echo "Hello from insecure_script.sh!"