6. Sudo
Introduction
sudo is a program which lets users run other programs with the security privileges of other users. By default, that other user will be root.
A user generally needs to enter their password to use sudo, and they must be permitted access via rule(s) in the /etc/sudoers file.
Rules can be used to limit users to certain programs, and forgo the password entry requirement.
Useful Commands
Run a program using sudo:
Run a program as a specific user:
List programs a user is allowed (and disallowed) to run:
Known Password
By far the most obvious privilege escalation with sudo is to use sudo as it was intended!
If your low privileged user account can use sudo unrestricted (i.e. you can run any programs) and you know the user’s password, privilege escalation is easy, by using the “switch user” (su) command to spawn a root shell:
Other Methods
If for some reason the su program is not allowed, there are many other ways to escalate privileges:
Shell Escape Sequences
Even if we are restricted to running certain programs via sudo, it is sometimes possible to “escape” the program and spawn a shell.
Since the initial program runs with root privileges, so does the spawned shell.
A list of programs with their shell escape sequences can be found here: GTFOBins
List the programs your user is allowed to run via
sudo -l
For each program in the list, see if there is a shell escape sequence on GTFOBins
If an escape sequence exists, run the program via sudo and perform the sequence to spawn a root shell.
Abusing Intended Functionality
If a program doesn’t have an escape sequence, it may still be possible to use it to escalate privileges.
If we can read files owned by root, we may be able to extract useful information (e.g. passwords, hashes, keys).
If we can write to files owned by root, we may be able to insert or modify information.
List the programs your user is allowed to run via sudo:
Note that apache2 is in the list.
apache2 doesn’t have any known shell escape sequences, however when parsing a given config file, it will error and print any line it doesn’t understand
Run apache2 using sudo, and provide it the /etc/shadow file as a config file:
Extract the root user’s hash from the file and crack it with john.
Environment Variables
Programs run through sudo can inherit the environment variables from the user’s environment.
In the /etc/sudoers config file, if the env_reset option is set, sudo will run programs in a new, minimal environment.
The env_keep option can be used to keep certain environment variables from the user’s environment.
The configured options are displayed when running sudo -l
1. LD_PRELOAD
LD_PRELOAD is an environment variable which can be set to the path of a shared object (.so) file.
When set, the shared object will be loaded before any others.
By creating a custom shared object and creating an init() function, we can execute code as soon as the object is loaded.
Limitations
LD_PRELOAD will not work if the real user ID is different from the effective user ID.
sudo must be configured to preserve the LD_PRELOAD environment variable using the env_keep option.
List the programs your user is allowed to run via sudo:
Note that the env_keep option includes the LD_PRELOAD environment variable.
Create a file (preload.c) with the following contents:
Compile preload.c to preload.so:
Run any allowed program using sudo, while setting the LD_PRELOAD environment variable to the full path of the preload.so file:
2. LD_LIBRARY_PATH
The LD_LIBRARY_PATH environment variable contains a set of directories where shared libraries are searched for first.
The ldd
command can be used to print the shared libraries used by a program:
By creating a shared library with the same name as one used by a program, and setting LD_LIBRARY_PATH to its parent directory, the program will load our shared library instead.
Run ldd against the apache2 program file:
Hijacking shared objects using this method is hit or miss. Choose one from the list and try it (libcrypt.so.1 seems to work well).
Create a file (library_path.c) with the following contents:
Compile library_path.c into libcrypt.so.1:
Run apache2 using sudo, while setting the LD_LIBRARY_PATH environment variable to the current path (where we compiled library_path.c):
Last updated