Writeup - Hack The Box
pspy64 we can see that
run-parts is triggered on login.
Find the PATH order the scripts are executed:
jkr@writeup:~$ echo $PATH /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games
Look at the path for
run-parts to see if we can exploit the order:
jkr@writeup:~$ which run-parts /bin/run-parts
Noticed that both
/usr/bin is before
/bin in order of script execution. So I made a reverse-shell script called
run-parts and placed it in the
nc on local host, log out and in again from
jkr@writeup to trigger scripts and boom - reverse root shell.
INFO ABOUT PATH:
Q: If there are multiple executable files in PATH with the same name which one is preferred?
A: It stops at the first one it finds, reading $PATH left to right.
Q: Is current directory included in the search when file is executed?
A: If the current directory is in PATH then it is searched. Remember that an empty directory in PATH includes the current directory. e.g. PATH=:/usr/bin (leading empty) PATH=/usr/bin: (trailing empty) and PATH=/usr/bin::/bin (middle empty) will all effectively include current working directory.