Day 21: PATH Hijacking & Cron Exploitation — The Automation Trap 🕵️♂️
Source: Dev.to
PATH Hijacking: The Power of Order
Linux finds programs by searching the directories listed in the $PATH variable. If a root‑owned script calls tar without an absolute path, the first tar found in $PATH will be executed.
The Exploit
# Place a malicious script named `tar` in a writable directory, e.g. /tmp
export PATH=/tmp:$PATH # prepend /tmp to the PATHThe Result
When the privileged script runs tar, it will invoke your fake tar from /tmp, allowing you to obtain a root shell.
Cron Job Exploitation
Cron is the Linux scheduler. If a script referenced by /etc/crontab (or another system crontab) is world‑writable (-rwxrwxrwx), an attacker can modify it to execute arbitrary commands as root.
The Injection
echo "/bin/bash" >> /usr/local/bin/backup.shThe Payload
After the next scheduled run (typically within a minute), the injected command is executed with root privileges.
Wildcard Injection in Cron
When a cron job uses a wildcard, such as:
tar -czf backup.tar.gz /home/user/*an attacker can create files whose names look like command‑line options (e.g., --checkpoint=1). These files are then passed to the program, potentially causing it to execute unintended code.
Follow the author’s journey: #1HourADayJourney