What is Path Hijacking?
Path Hijacking is a method where the bad guys will try to execute their malicious payload by running it from a different path than they are in at that moment.
Let’s look at it this way
The bad guys are currently inside the /home/ directory but their malicious payloads are stored or saved inside /tmp/ or /dev/shm directory.
We should be enumerated manually by running the “sudo -l” command
As people have noticed, there are some functions such as setenv which define a value of environment variable.
An example of the Path Hijacking method can be found below
An example of the demonstration can be taken from here
Firstly, we can use the find binary to exploit where we can use the path hijacking on the machine. Inside the file “find”, we can put some simple commands such as bash where we can obtain the root shell
We should be giving the file the execution permission
Therefore, we should be executing a path hijacking as sudo PATH=/dev/shm:$PATH and also include the SUID binary that we can abuse it with.
For this second step, the only difference is the name of the file which we will be using [ as the execution file naming purpose.
As shown in step 1 previously, we can take advantage of path hijacking such as sudo PATH=/dev/shm:$PATH with the SUID binary
The screenshot above shows the code that resides inside the /opt/cleanup.sh file
Let’s create some script that will try to escalate to root privileges access
Once completed with the script, let’s compile it as shown above.
As a result, let’s upload the compiled script into the victim’s machine