🛠️ The "Invisible" Attack Vectors
1. PATH Hijacking: The Power of Order
Linux finds programs by looking through directories in the $PATH variable. If a root script calls tar instead of /bin/tar, it will execute the first tar it finds.
-
The Exploit: Place a malicious script named
tarin a directory like/tmp, then add/tmpto the start of the PATH:export PATH=/tmp:$PATH. -
The Result: The root script runs your "fake"
tar, giving you a root shell.
2. Cron Job Exploitation
Cron is the Linux scheduler. If a script in /etc/crontab is world-writable (-rwxrwxrwx), you've already won.
-
The Injection:
echo "/bin/bash" >> /usr/local/bin/backup.sh - The Payload: Wait 1 minute for the cron to run, and your command executes as root.
3. Wildcard Injection in Cron
If a cron job uses a wildcard like tar -czf backup.tar.gz /home/user/*, you can create files that look like command arguments (e.g., --checkpoint=1) to trick the program into executing code.
Follow my journey: #1HourADayJourney
Top comments (0)