sudo - Linux Privilege Escalation
Note: If you need to zoom in, you can click on the image.
Information about sudo
Sudo allows a user to run a program with root privilege. Think of it as Run as Administrator on Windows.
The problem
The problem with allowing user to run sudo is that it can lead to privilege escalation.
Here are the two step we can take:
Leverage application functions
OR
Leverage LD_PRELOAD
For Leveraging application functions - We are simply abusing the power of sudo that we are given for certain commands and using that to get root privilege. To find which commands are allowed to use sudo from a user account, we can use sudo -l. Then, we can use that information with the combination of this resource (https://gtfobins.github.io/) to get root privilege.
For Leverage LD_PRELOAD - LD_PRELOAD. Allows any program to use shared library. We are essentially overwriting the default shared library that the program use with our own malicious shared library. That malicious shared library will be loaded into /etc/ld.so.preload and the program will use our malicious shared library allowing us to get root privilege.
This is the drawing that I made explaining Leverage LD_PRELOAD:
Let move onto the demonstration. Note: This TryHackMe room only approach linux privilege escalation from Leveraging application functions. Maybe in the near future, I will create a blog specifically for LD_Preload- sudo linux privilege escalation.
Demonstration:
For demonstration, we will be using the TryHackMe Linux Privilege Escalation: Sudo Lab. https://tryhackme.com/room/linprivesc
As show below, I am logged into an account name Karen. When executing command id, this is the information that was presented to me.
uid=1001(karen) gid=1001(karen) groups=1001(karen). Now, my goal is to go from local user privilege to root privilege.
Let’s start by seeing what command are allowed to run sudo with. To find this information, I will use: sudo -l
After that, I will copy: `sudo find . -exec /bin/sh \; -quit` to the command prompt and run the command: `id`.
Now, I have root privilege.
Additional information
One of the TryHackMe question was: “What is the hash of frank’s password?”. To find this information, I would have to go to /etc/shadow. Now, let’s understand the structure of /etc/shadow.
This is frank information:
frank:$6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv.jNmwo/BJpphrPRJWjelWEz2HH.joV14aDEwW1c3CahzB1uaqeLR1:18796:0:99999:7:::
You may be thinking that cool but where the hash? This resource explain it really well. https://www.cyberciti.biz/faq/understanding-etcshadow-file/
Essentially, we need to divide the information. To better convey the information, I will be using a drawing :)
- 1. Username
- 2. Hash of the password
- 3. Number of days since the last password
- 4. Number of days left before the user is allowed to change her password again. An empty field and value 0 mean that there are no minimum password age.
- 5. The maximum number of days the password is valid, after that user is forced to change his/her password again.
- 6. Number of days before password is to expire that user is warned that his/her password must be changed. IE, you have 4 days to change your password before the system force you to change your pasword.
- 7. The number of days after password expires that account is disabled.
- 8. The date of expiration of the account, expressed as the number of days since Jan 1, 1970.