Sudo
Last updated
Last updated
sudo -l will show us commands delegated to our user. See example of possible output below
With the result of the command we can then check out on for comprehensive ways to escalate
the section of interest for us here is the following one:
Let's try this command sudo vim -c ':!/bin/sh'
It works right away
the section of interest for us here is the following one:
So let's try this sudo awk 'BEGIN {system("/bin/sh")}'
It works
sudo -l we should see this: (root) NOPASSWD: /usr/sbin/apache2
Note: There are no entry on GTFOBins about apache2 but Google can do the trick ;) We could type something like "sudo apache2 privilege escalation"
sudo -l we should see something like this env_keep+=LD_PRELOAD
We are going to preload a user specific share library before any other share libraries
We need to write our malicious library that will privesc for us by changing our gid and uid to 0 (root). We put this code in a file named x.c
now we need to compile our library with gcc gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles
And now we need to set it as our user's preloaded library sudo LD_PRELOAD=/tmp/x.so apache2
This vulnerability allows us to change our user id, we need to have some sudo rights delegated to us this works very well with right on /bin/bash
This one is a buffer overflow
If we see that we have password feedback on (we can try any sudo command to check for this), it means that the option pwfeedback is turned on in /etc/sudoers and that makes it vulnerable to buffer overflow
Then we find an that mentions this command to let us view system files.
See an example with wget on veteransec's writeup of the HTB box called sunday.
We should be root
Checkout a writeup of an example of exploitation
We basically just need to run the provided exploit. Pour pratice on this check out on trhyhackme
