picoCTF Solutions
picoCTF 2023General SkillsMedium

chrono picoCTF 2023 Solution

Published: April 26, 2023

Description

Connect to a Linux server and look for tasks scheduled to run at intervals. The flag is stored directly in a crontab file.

Read the technique guide

  • Linux Command Line Basics for CTF CompetitionsThe essential Linux commands every CTF beginner needs: file inspection, text searching, permissions, base64 decoding, ssh, and more -- with examples from real picoCTF General Skills challenges.

Setup

SSH to the provided host/port and authenticate with the given password.

Look in the crontab files for automated tasks. The flag is right there.

bash
ssh -p 49702 picoplayer@saturn.picoctf.net
bash
ekj2GJuiv4
bash
cat /etc/cron.d/*

Solution

Walk me through it
  1. Step 1Read the crontab
    After SSH-ing in, check the system crontab directory. The flag is embedded directly in a cron job entry in /etc/cron.d/. Running cat /etc/cron.d/* displays all scheduled jobs, and the flag is printed right there as a scheduled job comment or command.
    bash
    cat /etc/cron.d/*

    For the broader Linux enumeration toolkit (find, ls, cat, grep, sudo -l, getcap), see Linux CLI for CTF.

    Learn more

    Cron is the Unix task scheduler. It reads crontab files - plain text tables where each line specifies a time pattern and a command - and runs those commands at the scheduled times. System-wide crontabs live in /etc/cron.d/, /etc/crontab, and the /etc/cron.{hourly,daily,weekly,monthly} directories; per-user ones are stored in /var/spool/cron/crontabs/.

    In CTF forensics and privilege-escalation scenarios, cron is worth examining because: (1) scripts invoked by root cron jobs may be writable by a lower-privileged user, allowing code execution as root; (2) cron jobs often log artifacts (temporary files, output files) that contain sensitive data; (3) poorly written cron scripts can expose credentials or intermediate results in world-readable locations - exactly as happened here with metadata.json.

    Use crontab -l to list the current user's jobs and cat /etc/crontab to inspect system jobs. Tools like pspy can monitor process creation in real time to catch cron jobs that run without appearing in static files.

    The crontab time format has five fields before the command: minute (0-59), hour (0-23), day of month (1-31), month (1-12), and day of week (0-7, where both 0 and 7 represent Sunday). Wildcards (*) match every value; step values (*/5) run every fifth unit; ranges (1-5) specify spans. The shorthand @reboot runs a command once at startup - a common persistence mechanism in Linux malware because it survives reboots without modifying any obvious system files.

    In CTF privilege escalation, a writable cron script executed by root is a reliable escalation path. If a root cron job calls /tmp/cleanup.sh and the current user can write to /tmp/, replacing that script with a reverse shell or SUID-setting command gives root access on the next cron trigger. The tool LinPEAS automatically checks for writable cron scripts as part of its privilege escalation audit.

Flag

picoCTF{Sch3dule_1s_n0t_s0_s3cr3t_4f2fe44}

The flag appears directly inside the crontab file in /etc/cron.d/.

Want more picoCTF 2023 writeups?

Browse picoCTF 2023Full library

Useful tools for General Skills

Related reading

What to try next