Sudo Rights Abuse
When the sudo
command is issued, the system will check if the user issuing the command has the appropriate rights, as configured in /etc/sudoers
.
Therefore the /etc/sudoers
file specifies which users or groups are allowed to run specific programs and with what privileges.
Sometimes we will need to know the user's password to list their sudo
rights, but any rights entries with the NOPASSWD
option can be seen without entering a password.
Vulnerable sudo version
Find out the version of sudo
:
CVE-2021-3156: hax-me-a-sandwich
This affected the sudo versions:
- 1.8.31 - Ubuntu 20.04
- 1.8.27 - Debian 10
- 1.9.2 - Fedora 33
- and others
Proof of concept: https://github.com/blasty/CVE-2021-3156
In our attacking machine:
This will generate the file sudo-hax-me-a-sandwich. Now we serve this file from our attacking machine:
From the target machine:
CVE-2019-14287: Sudo Policy Bypass
Another vulnerability was found in 2019 that affected all versions below 1.8.28, which allowed privileges to escalate even with a simple command.
CVE-2019-14287: https://www.sudo.ws/security/advisories/minus_1_uid/
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL
keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
Exploiting the bug requires that the user have sudo privileges that allow them to run commands with an arbitrary user ID.
Output:
This means that when we can run the command /usr/bin/ncdu
as any user, except for the user root.
However, if we run it this way
The system may fallback to 0, which is the root user id:
After entering into bin/ncdu
spawn a shell with several methods:
- Entering an exclamation mark: !
- With
/bin/bash -i
tcpdump
For instance:
Output:
By specifying the -z
flag, an attacker could use tcpdump
to execute a shell script, gain a reverse shell as the root user or run other privileged commands.
For example, an attacker could create the shell script .test
containing a reverse shell:
Then, we set a listener in the attacking machine:
And then, run tcpdump
as root with the postrotate-command
.
AppArmor in more recent distributions has predefined the commands used with the postrotate-command
, effectively preventing command execution.
openssl
We continue our enumeration:
Output:
This means we can use openssl as root to do several things: - Drop a cronjob or systemd service (if writable) - Read root-only files - Abuse 3: Read and execute your own reverse shell script
We can for instance, read /etc/shadows and of course /etc/password:
If we copy /etc/shadows as shadow and /etc/password as password to our local machine:
First, save /etc/passwd and john /etc/shadow from the victim machine to the attacker machine.
Second, use unshadow to put users and passwords in the same file:
Third, run johtheripper. You can use a list of users or specific ones brute force:
Now we will have
But we are mostly interested in root and lab_adm as they are administrators in the machine. So we will keep looking for a way. We may try to abuse openssl to write a new user in the system:
In our kali machine:
Output:
In /etc/passwd
line:
/etc/shadow
line (replace <HASH>
):
Bring the /etc/passwd and /etc/shadow to your kali:
Read /etc/shadows with our capabilities. Create a copy in the ubuntu target machine and after that copy the output to your kali (save it as sass):
Do the same with /etc/passwd and save it as lass.
Now in your kali append the following to the /etc/passwd (lass) :
And append this line to the /etc/shadow (sass) file
Now serve these lass and sass from your kali:
And download them from the ubuntu machine:
Now we will use the openssl running as sudo to overwrite /etc/passwd and /etc/shadow with our files, and therefore, create a new user with root capabilities.
Now:
Another way more straightforward: there is a GTFOBin for the OpenSSL binary.
Copy the private key to your kali ~/.ssh folder:
Last update: 2025-05-18 Created: February 12, 2025 20:36:23