π€οΈPATH Abuse
π― Overview
PATH environment variable manipulation to achieve privilege escalation by hijacking command execution through directory precedence and writable path exploitation.
π PATH Variable Basics
Understanding PATH
# Check current PATH
echo $PATH
env | grep PATH
# Typical PATH structure
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/gamesHow PATH Works:
System searches directories left to right
First match gets executed
Absolute paths bypass PATH lookup
Relative commands use PATH resolution
π― PATH Hijacking Attack Vectors
Current Directory Injection
sudo =
Writable Directory Exploitation
π§ Common Attack Scenarios
Scenario 1: Sudo Script with Relative Commands
Exploitation:
Scenario 2: Cronjob Path Manipulation
If cron job runs:
And script.sh contains:
π Script and Binary Hijacking
Common Target Commands
Malicious Script Templates
π Enumeration Techniques
PATH Analysis
Writable Directory Detection
Vulnerable Script Detection
π Exploitation Examples
Basic PATH Hijacking
Cronjob PATH Exploitation
π Detection & Enumeration
Quick PATH Audit
β οΈ Defensive Considerations
Secure PATH Practices
Common Vulnerabilities
Current directory (.) in PATH - Most dangerous
Writable directories in PATH - Exploitation opportunity
Scripts using relative commands - Hijacking targets
User-modifiable PATH - Attack vector
π Key Attack Points
High-Impact Scenarios
Sudo scripts with relative commands + writable PATH directory
Cron jobs executing scripts with relative paths
SUID binaries calling other programs without absolute paths
User scripts with PATH manipulation capabilities
Quick Wins
Check
sudo -lfor scriptsLook for writable directories in PATH
Find scripts with relative command calls
Test PATH modification permissions
PATH abuse exploits the fundamental way Linux systems locate executables - by manipulating the search order, attackers can hijack command execution and escalate privileges through legitimate system mechanisms.
Last updated