Check Sudo Permissions
NOPASSWD— no password required(ALL)or(root)— runs as root- Specific binaries — check GTFOBins
GTFOBins — Sudo
Common Entries
vim
find
python
perl
less
awk
nmap
env
tar
zip
man
apache2
LD_PRELOAD
Ifsudo -l shows env_keep+=LD_PRELOAD:
Malicious Shared Library
LD_LIBRARY_PATH
Ifenv_keep+=LD_LIBRARY_PATH:
Find Shared Libraries
Hijack Library
Sudo CVEs
CVE-2021-3156 — Baron Samedit (sudo < 1.9.5p2)
Heap buffer overflow in sudo. Any user → root. Check version:CVE-2019-14287 — Sudo Bypass (sudo < 1.8.28)
If sudoers has(ALL, !root) NOPASSWD: /bin/bash:
-1 wraps to UID 0 (root).
CVE-2019-18634 — Sudo pwfeedback (sudo < 1.8.31)
Ifpwfeedback is enabled in /etc/sudoers:
Sudo Shell Escape Sequences
Some programs allow shell escape:| Program | Escape |
|---|---|
vi/vim | :!bash |
less | !bash |
more | !bash |
man | !bash |
ftp | !bash |
gdb | !bash |
nmap | !sh (interactive mode) |