0xPThree

Pentester, HTB enjoyer
0-day contributor

N/A






ROOT

Using pspy64 we can see that run-parts is triggered on login.

Find the PATH order the scripts are executed:

jkr@writeup:~$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Look at the path for run-parts to see if we can exploit the order:

jkr@writeup:~$ which run-parts
/bin/run-parts

Noticed that both /usr/local/bin and /usr/bin is before /bin in order of script execution. So I made a reverse-shell script called run-parts and placed it in the /usr/local/bin dir.

Start nc on local host, log out and in again from jkr@writeup to trigger scripts and boom - reverse root shell.

INFO ABOUT PATH:
Q: If there are multiple executable files in PATH with the same name which one is preferred?
A: It stops at the first one it finds, reading $PATH left to right.

Q: Is current directory included in the search when file is executed?
A: If the current directory is in PATH then it is searched. Remember that an empty directory in PATH includes the current directory. e.g. PATH=:/usr/bin (leading empty) PATH=/usr/bin: (trailing empty) and PATH=/usr/bin::/bin (middle empty) will all effectively include current working directory.