{: style=“float: right; width: 200px; margin-left: 2em”}
N/A
ROOT
Using pspy64 we can see that run-parts is triggered on login.
Find the PATH order the scripts are executed:
jkr@writeup:~$ echo $PATH
/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/gamesLook at the path for run-parts to see if we can exploit the order:
jkr@writeup:~$ which run-parts
/bin/run-partsNoticed that both /usr/local/bin and /usr/bin is before /bin in order of script execution. So I made a reverse-shell script called run-parts and placed it in the /usr/local/bin dir.
Start nc on local host, log out and in again from jkr@writeup to trigger scripts and boom - reverse root shell.
INFO ABOUT PATH:
Q: If there are multiple executable files in PATH with the same name which one is preferred?
A: It stops at the first one it finds, reading $PATH left to right.Q: Is current directory included in the search when file is executed?
A: If the current directory is in PATH then it is searched. Remember that an empty directory in PATH includes the current directory. e.g. PATH=:/usr/bin (leading empty) PATH=/usr/bin: (trailing empty) and PATH=/usr/bin::/bin (middle empty) will all effectively include current working directory.