What is Path Hijacking?

Path Hijacking is a method where the bad guys will try to execute their malicious payload by running it from a different path than they are in at that moment.

Let’s look at it this way

The bad guys are currently inside the /home/ directory but their malicious payloads are stored or saved inside /tmp/ or /dev/shm directory.

A screenshot of a computer

Description automatically generated with medium confidence

We should be enumerated manually by running the “sudo -l” command

As people have noticed, there are some functions such as setenv which define a value of environment variable.

An example of the Path Hijacking method can be found below

An example of the demonstration can be taken from here

Step 1

Firstly, we can use the find binary to exploit where we can use the path hijacking on the machine. Inside the file “find”, we can put some simple commands such as bash where we can obtain the root shell

We should be giving the file the execution permission

Therefore, we should be executing a path hijacking as sudo PATH=/dev/shm:$PATH and also include the SUID binary that we can abuse it with.

Step 2

For this second step, the only difference is the name of the file which we will be using [ as the execution file naming purpose.

As shown in step 1 previously, we can take advantage of path hijacking such as sudo PATH=/dev/shm:$PATH with the SUID binary

Step 3


Description automatically generated

The screenshot above shows the code that resides inside the /opt/cleanup.sh file

Graphical user interface

Description automatically generated

Let’s create some script that will try to escalate to root privileges access

Once completed with the script, let’s compile it as shown above.

A picture containing text

Description automatically generated

As a result, let’s upload the compiled script into the victim’s machine

Leave a Reply

Your email address will not be published. Required fields are marked *