Sudo Exploitation: Escalating Privileges on Linux
In the realm of penetration testing and Capture The Flag (CTF) challenges, particularly those aligned with certifications like OSCP, escalating privileges is a critical phase. One of the most common and powerful methods for achieving this on Linux systems is through the exploitation of sudo misconfigurations. This module will guide you through understanding how sudo works and how to leverage its vulnerabilities to gain root access.
Understanding Sudo and its Configuration
sudo (superuser do) allows a permitted user to execute a command as another user, typically the superuser (root). This is managed by the /etc/sudoers file, which defines which users can run which commands on which hosts, and as which other users. Misconfigurations in this file are the primary vector for sudo exploitation.
Common Sudo Exploitation Techniques
Several patterns of sudo misconfigurations are frequently encountered. Recognizing these patterns is key to successful exploitation.
| Technique | Description | Exploitation Method |
|---|---|---|
| NOPASSWD Entry | User can run a specific command as root without a password. | If the command allows arbitrary command execution or file manipulation, exploit it. |
| Executable with Shell Capabilities | User can run an executable as root that can spawn a shell or execute other commands. | Leverage the executable's features to spawn a root shell. |
| Script Execution | User can run a script as root that contains exploitable logic. | Modify the script or its execution path to gain root. |
| Abusable Binaries | User can run specific binaries (e.g., find, awk, less) as root that have features allowing command execution. | Utilize the binary's built-in features to execute commands as root. |
Exploiting `find` with Sudo
The find command is a powerful utility that can be misused for privilege escalation if granted via sudo. Specifically, its -exec option allows it to execute commands on found files.
If a user can run find as root, they can use it to execute arbitrary commands. A common technique is to use find to locate a file and then execute a shell. For instance, sudo find . -exec /bin/sh \; would attempt to execute /bin/sh in the current directory. A more robust method to get a root shell is sudo find . -exec /bin/sh -p \;. The -p flag is crucial here as it requests a privileged shell, which is often a root shell when executed via sudo.
Text-based content
Library pages focus on text content
Exploiting `vim` with Sudo
Text editors like vim are often granted sudo privileges for administrative tasks. However, vim has built-in shell capabilities that can be leveraged.
If a user can run sudo vim <any_file>, they can enter command mode within vim by pressing :. From there, they can execute shell commands using the ! prefix. For example, typing :!whoami would show the current user. To get a root shell, one would type :!/bin/sh or :!bash and press Enter. This effectively spawns a root shell within the vim process.
Tools and Techniques for Discovery
Identifying sudo vulnerabilities requires careful enumeration. Several tools and manual checks can help.
sudo -l
The sudo -l command is your primary tool for understanding your current sudo privileges. It will list the commands you are permitted to run as root (or another user) and whether a password is required. Beyond this, manual inspection of the /etc/sudoers file (if read access is available) or using automated scripts like linpeas.sh can reveal common misconfigurations.
The Sudoers File and GTFOBins
Understanding the structure of the /etc/sudoers file is crucial. However, memorizing every possible exploitable binary is impractical. This is where resources like GTFOBins become invaluable.
GTFOBins is a curated list of Unix binaries that can be exploited to bypass local security restrictions, including privilege escalation via sudo. It provides specific commands and examples for numerous binaries.
Practical Application and OSCP Relevance
For OSCP, mastering sudo exploitation is non-negotiable. Many machines in the lab environment and exam scenarios will feature sudo misconfigurations as a primary path to root. Practice identifying these vulnerabilities on vulnerable VMs and in CTF challenges. Always start with sudo -l and then cross-reference any permitted commands with GTFOBins or other exploit databases.
Example Scenario
Imagine you have low privileges and discover you can run sudo find without a password. You would then consult GTFOBins for find and see the sudo find . -exec /bin/sh \; or similar command. Executing this would grant you a root shell, completing the privilege escalation.
Learning Resources
A curated list of Unix binaries that can be exploited to bypass local security restrictions, including privilege escalation via sudo. Essential for finding exploitable commands.
The official manual page for sudo, providing comprehensive details on its configuration and usage, crucial for understanding the underlying mechanisms.
Official documentation from Offensive Security that often touches upon common privilege escalation techniques, including sudo exploitation, relevant to OSCP.
A repository of exploits, including those targeting sudo vulnerabilities. Useful for finding specific exploit scripts or techniques.
A detailed guide on Linux privilege escalation, with a dedicated section on sudo exploitation, offering practical examples and commands.
Explains the fundamental concepts of the sudoers file and how sudo works, providing a solid foundation for understanding misconfigurations.
A video tutorial demonstrating common sudo privilege escalation techniques with practical examples, helpful for visual learners.
An in-depth look at the sudoers file syntax and common configurations, aiding in the analysis of potential vulnerabilities.
While not solely focused on sudo, this script and its accompanying documentation cover many aspects of Linux enumeration, including sudo permissions, which is a vital first step.
A whitepaper discussing various sudo vulnerabilities and how they can be exploited, offering a more academic and in-depth perspective.