Abusing SUDO

In Linux, sudo stands for “super user do”. When you run a command in Linux and prepend it with sudo, the command will be run as with root privileges. For example, if you want to install something, you will usually have to run it with sudo. There are a few things to keep in mind about sudo:

  1. The user running the sudo command must be a member of the sudoers group.
  2. A password is usually required to run the command
  3. Some commands that usually require the sudo command can be run without sudo if an administrator added an exception in the /etc/sudoers file.
  4. sudo leaves an audit trail in the logs.
  5. An administrator can specify entire groups of users, or specific commands for specific users allowed to be run with sudo.

With these things in mind, let’s jump into some common misconfigurations of sudo so we can escalation our privileges.

Known Password

Let’s start really simple. If there is a user we found a password for (look at previous section), and this user happens to be a member of the sudoers group, all we have to do to become root is run this command and enter the password:

sudo su

If this user is a member of the sudoers file, you should be root now if the su command isn’t blocked.

Escape Sequences

Sometimes system administrators will allow certain users to run a specific set of commands with sudo privileges. To list out a list of these privileges, we can type out sudo -l. This will list out all the programs we can run as sudo. Below is a sample output of commands the user can run with sudo.

This means any command listed here is allowed to be run with the sudo command because the system administrator added this configuration into the /etc/sudoers file. Keep this in mind because the next topic will link back to this concept.

Many programs provide a way to display a shell to the user. One popular example is an old version of the popular networking scanning tool nmap. Older versions of nmap could display a shell to users by typing in nmap –interactive. After typing this in, the user can type in !sh to get an interactive shell.

Now let’s combine the two concepts we just discussed. If we have permission to run nmap with sudo privileges, and we can get nmap to spawn an interactive shell, what permissions will the shell be running as? Theoretically root since the program was run with sudo.

Let’s try attacking nmap in the example below with only two commands:

First, we run nmap with sudo privileges in interactive mode:

Next we type in !sh into the prompt to get an interactive shell as root:

Other programs offer similar functionality as well. These are usually bundled with software as a “feature”, but when improperly implemented, they become security holes in the system. At the time of this writing there is an active project called GTFOBins located at https://gtfobins.github.io/ that contains a well-kept list of Unix binaries that can be exploited by abusing sudo or other functions. This should be one of the first places you check; there are well over a hundred known binaries on this list.

Below is a small table with a few examples of popular programs and how to spawn an interactive shell from the program. If these programs are run with sudo, the interactive shells in these programs will give you root.

FTP     !vim     !shless    !shfind    find /bin -name tar -exec /bin/sh \;awk     awk ‘BEGIN {system(“/bin/sh”)}’nano    nano -s /bin/sh

Note: if the program Zip is able to run as SUDO, reference this guide for a comprehensive walkthrough on how to exploit Zip. Zip Privilege Escalation

It’s easy for a system administrator to become frustrated every time a user needs sudo access temporarily for a small task, so instead of looking for an alternative solution, the system administrator will provide permanent sudo access to particular programs for certain users. If the program provides access to an interactive shell or can write to the file system, you have a clear path to root.

Abusing Functionality

The next example is something I found online for how to abuse the built-in functionality of the apache2 service to read files on the system as root. https://touhidshaikh.com/blog/?p=790.

The service apache2 allows anyone with elevated privileges to read files systems on the server. So, what can you do with this? You can’t quite get a root shell with this command, but you can read sensitive files on the file server. If there is a password protected .config file you can’t access, but if you have sudo access, you can now access the file and read the contents. You can also do this for file such as /etc/shadow and get the password hashes of users. Let’s see how this works. By running the following command, we can get the password hashes of all the users on the machine:

sudo apache2 -f /etc/shadow

When used by itself, this abuse of sudo doesn’t lead to root, but can be chained with other attacks to potentially lead to elevated privileges.

LD_PRELOAD Exploitation

LD_PRELOAD is an environment variable that can be set to point to any shared libraries specified. The dynamic linker on the Unix system will load these shared libraries before other libraries. So, what does this mean for an attacker? When we type in sudo -l and we see something that looks like the output below, we have a high likelihood of being able to elevate to root.

user@debian:~$ sudo -lMatching Defaults entries for user on this host:env_keep+=LD_PRELOADUser user may run the following commands on this host:(root) NOPASSWD: /usr/bin/find

Let’s take a step back so we understand why this is a vulnerability. When a Unix system loads a program, it will load all the necessary libraries (usually .so files) to run the program. If we have write access to the LD_PRELOAD variable AND sudo access to a program, we can change the order of libraries loaded for that certain program, and load a malicious executable before any other libraries are loaded for the program. Our attack would look something like this:

Create a malicious executable called exploit.c located in the /tmp/ directory.

#include <stdio.h>#include <sys/types.h>#include <stdlib.h>void _init({ unsetenv("LD_PRELOAD");setgid(0);setuid(0);system("/bin/bash");}

Compile the executable.

gcc -shared -fPIC -o /tmp/exploit.so /tmp/exploit.c

Load the new library executable first when running a program we have sudo privileges to and we get root

user@debian:/tmp$ sudo LD_PRELOAD=/tmp/exploit.so findroot@debian:/tmp# iduid=0(root) gid=0(root) groups=0(root)

Generally, you won’t need to use this technique because there are so many programs you can abuse if you already have sudo privileges for them, but it’s a good one to know just in case.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Recipe For Root

Recipe For Root

I am a Security Consultant and formerly worked at PayPal as a Penetration Tester. At night I teach Cyber Security at UTexas. OSCP