Sudo
Last updated
Last updated
sudo -l will show us commands delegated to our user. See example of possible output below
With the result of the command we can then check out on GTFOBins for comprehensive ways to escalate
Vim on Gtfobins the section of interest for us here is the following one:
Let's try this command sudo vim -c ':!/bin/sh'
It works right away
Awk on GTFOBins the section of interest for us here is the following one:
So let's try this sudo awk 'BEGIN {system("/bin/sh")}'
It works
sudo -l we should see this: (root) NOPASSWD: /usr/sbin/apache2
Note: There are no entry on GTFOBins about apache2 but Google can do the trick ;) We could type something like "sudo apache2 privilege escalation"
Then we find an article that mentions this command to let us view system files.
See here an example with wget on veteransec's writeup of the HTB box called sunday.
sudo -l we should see something like this env_keep+=LD_PRELOAD
We are going to preload a user specific share library before any other share libraries
We need to write our malicious library that will privesc for us by changing our gid and uid to 0 (root). We put this code in a file named x.c
now we need to compile our library with gcc gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles
And now we need to set it as our user's preloaded library sudo LD_PRELOAD=/tmp/x.so apache2
This vulnerability allows us to change our user id, we need to have some sudo rights delegated to us this works very well with right on /bin/bash
Checkout here a writeup of an example of exploitation
This one is a buffer overflow
If we see that we have password feedback on (we can try any sudo command to check for this), it means that the option pwfeedback is turned on in /etc/sudoers and that makes it vulnerable to buffer overflow
We basically just need to run the provided exploit. Pour pratice on this check out this box on trhyhackme
We should be root
