Guides, Linux, Privilege Escalation

Linux Privilege Escalation – Sudo Commands/Binaries

January 25, 2021 | by Stefano Lanaro | Leave a comment

Introduction

Sudo is a Linux utility that allows users to run commands with the privileges of another user, when no arguments are provided, this will execute the command as the root user.

If sudo is not configured correctly, this could allow attackers to escalate their privileges to root.

The sudoers file

The /etc/sudoers file is used to store all sudo privileges, such as which users are allowed to run sudo, which commands they are allowed to execute as sudo, which users they are allowed to impersonate and whether this will require a password to be entered.

Below is the default /etc/sudoers file configuration:

The structure for the sudo permissions works as follows:

  1. User allowed to run sudo
  2. Hosts where the user is allowed to run sudo
  3. User or group the user is able to impersonate
  4. Command the user is allowed to run as sudo

Additionally, NOPASSWD can be added which means no password will be required to execute such commands using sudo.

Root level access is required to edit the sudoers file and it can be done with:

sudo visudo -f /etc/sudoers

Visudo ensures sudoers is edited by one user at a time and performs syntax checks to avoid issues.

In the example below, the “steflan” user is allowed to run cat, pkexec and tar as any user, without having to enter the user’s password:

Exploiting Sudo Commands/Binaries

The following command can be used to see which commands or binaries the current user has access to run:

sudo -l

The example below confirms what was said in the previous section:

To identify if any of these can be exploited, GTFOBins can come in handy.

GTFOBins allows to search for binaries or commands to check whether when executed as sudo they provide access to normally restricted actions.

The search bar can be used to find the command and this will show ways to exploit such command. The “Sudo” section is what this attack requires.

Example #1

GTFOBins says the cat command can be exploited to read arbitrary files

As shown below, the cat command was used to view the /etc/sudoers file, which is normally restricted to superusers:

This could be used to view the /etc/shadow file and crack user hashes.

Example #2

Tar can be exploited among other things, to write to arbitrary files:

To exploit this to escalate to root, a new SSH key pair can be generated, and inserted in the /root/.ssh/authorized_keys file, which is used to add SSH public keys that are authorized to login as root:

An attacker can then authenticate as root via SSH:

There are other ways available such as adding a new line to /etc/passwd.

Example #3

The pkexec command can be exploited to gain a root shell:

A binary or command can be provided as argument for pkexec to execute:

Conclusion

Sudo is a very powerful tool and it should be configured to only allow users to run the necessary commands as root and only if these can’t be exploited to do restricted actions, as they could lead to a full system compromise.

This is quite a common privilege escalation vectors, both in CTF and in real life, especially when system admins get lazy.