Hijacks
PATH
Hijacking
PATH
HijackingWhen a script is executed with elevated privileges (e.g., via sudo
or in a cron
job) and calls other binaries or scripts with relative paths
, it may be possible to hijack the execution flow by manipulating the PATH
variable or exploiting relative paths.
PATH
Hijacking with sudo
:
PATH
Hijacking with sudo
:Sometimes is possible to run scripts as
sudo
that call others scripts within the script.When this scripts are called by a relative path is possible to create a malicious script on a directory with write permissions.
This commands creates a script named
initdb.sh
that will copybash
to a file in the/tmp
folder, when called for execution:
Once the malicious script is executed by the vulnerable script, you just need to execute the shell from the
/tmp
folder to becomeroot
:
Path Hijacking in cron
job:
cron
job:When
PATH
includes/usr/local/bin
before/usr/bin
in thecron
job's environment.There is an opportunity for
PATH hijacking
if a binary or script is executedwithout using an absolute path
.By placing a malicious binary in a directory earlier in the
PATH
(e.g.,/usr/local/bin
), you can hijack the execution flow.
bash
dropsSUID
privileges by default, so make sure to run it with-p
to keep root:
Path Hijack in supervisord.pid
:
supervisord.pid
:Supervisor it’s a process management tool for keeping services running.
Each managed process must have a
[program:<name>]
line followed by another linecommand=
where you should place the payload:
Python
Path Hijacking
Python
Path HijackingSometimes python scripts are being executed by
cron
jobs or by other scripts withsudo
permissions:
Check the python
PATH
order:
Here is a example of a reverse shell to hijack the
os
module:
When a module is imported you can create a malicious module on the same directory where the vulnerable script is and python will import the malicious module instead:
sudo
via PHP Cronjob
sudo
via PHP Cronjob
Use this reverse shell to hijack
PHP
files being used withsudo
privileges by acron
job or another script:
sudo
via Symlink
sudo
via Symlink
Path Hijacking via doas
doas
doas
is a lightweight, simple command-line utility for running commands with elevated privileges on Unix-like systems, similar tosudo
.doas.conf
have important information for privilege escalation:
Path Hijacking via sudo -i
sudo -i
If there is a writable directory in the
$PATH
(e.g.,/tmp
or/home/user/
), and an attacker can control the contents of this directory.First, create a malicious
bash
script in/tmp/bash
:
Then on the vulnerable
$PATH
just run:
sudo
via PHP
sudo
via PHP
If is possible to user
PHP
withsudo
:
Hijack APT
APT
npm
via sudo
npm
via sudo
A
NodeJS
package is defined in a filepackage.json
, is possible to create a malicious package and run it with the--unsafe
option to get code execution:
The malicious
package.json
needs to be contain within the fake package directory; once is all setup just run it withsudo
:
dstat
Plugin poisoning
dstat
Plugin poisoningAllows to run arbitrary python
scripts loaded as “external plugins” if they are located in one of the directories stated in the man
page:
~/.dstat/
(path of binary)/plugins/
/usr/share/dstat/
/usr/local/share/dstat
Normally to escalate privilege you want to choose the ones within the root
path, check for writable
permissions:
Create a malicious plugin:
Execute it with --PluginName
:
Composer
Hijacking
Composer
HijackingFirst create the temporal folder where you will invoke the shell from and save in an environmental variable:
Once is done, create the malicious script to feed
composer
:
Finally, just execute the script with it's in-build option:
GitPython
GitPython
CVE-2022-24439
Inadequate validation of user input when handling remote URLs passed to the clone command:
Symbolic Links
via sudo
Symbolic Links
via sudo
Sudoedit Double Wildcard Exploit
Sudoedit Double Wildcard Exploit
Using this exploit is possible to create a symbolic link pointing to the
authorized_keys
file.First create a new directory in the vulnerable path:
Now, from the new directory pop the symbolic link:
Finally use
sudoedit
to write your public key:
tar wildcards
tar wildcards
Move the directory being use by the script:
Replace it with a symbolic link pointing to your target directory:
Decompress the content:
Last updated