Sudo -l privilege escalation

privilegessudo

I am doing a ctf and I am in the last step of it –privilege escalation. With the sudo -l command, the output was this:

Matching Defaults entries for nick on 192:

    always_set_home, !env_reset, env_keep="LANG LC_ADDRESS LC_CTYPE LC_COLLATE
    LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC
    LC_PAPER LC_TELEPHONE LC_ATIME LC_ALL LANGUAGE LINGUAS XDG_SESSION_COOKIE",!insults, targetpw

User nick may run the following commands on 192:
    (ALL) ALL
    (root) NOPASSWD: /restart-apache

I know that env_reset shouldn't be disabled but I can't figure out the way to use it to get root access!

$ file restart-apache
restart-apache: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/l, BuildID[sha1]=1b1a4ab278b2d1be83e8b14adfc358cfd277d655, for GNU/Linux 3.2.0, with debug_info, not stripped

Best Answer

From the sudoers man page:

If, however, the env_reset option is disabled, any variables not explicitly denied by the env_check and env_delete options are inherited from the invoking process.

So, you can insert arbitrary environment variables to the launched process.

You don't show what sort of a program /restart-apache is, but if just so happens to be a shell script, this should be easy. Can you think of any environment variables that would affect what it does? What happens, exactly, when a shell script runs pretty much any command? Where does it find it?

Ok, turns out I didn't get lucky, and it was an actual compiled program instead, so it probably doesn't run that many commands via PATH. It still might, but it's hard to count on that.

That output from file looks like it might be truncated: the output I get from file /bin/ls is this (split to multiple lines):

/bin/ls: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
for GNU/Linux 2.6.32, BuildID[sha1]=3c233e12c466a83aa9b2094b07dbfaa5bd10eccd,
stripped

(The full path to the interpreter is missing from the output in the question.)

If your program uses ld-linux-x86-64.so.2, as all "normal" dynamic executables do, we can start looking at what actually happens when you run such a program. E.g. from here: What is /lib64/ld-linux-x86-64.so.2 and why can it be used to execute file?.

Spoiler: the program itself isn't what first runs.

We also find the man page of the dynamic linker. That man page lists some interesting environment variables, which affect the way the program is set up when started, the ones with names like LD_*. You may need to do some coding to get it to do what you want.

Related Solutions

Bash – Prompt for Sudo Password and Programmatically Elevate Privilege in Bash Script

I run sudo directly from the script:

if [ $EUID != 0 ]; then
    sudo "$0" "$@"
    exit $?
fi

Bash – How to prevent the caller’s shell from being used in sudo

Then answer is that sudo has a bug. First, the workaround: I put this in my /etc/sudoers.d/zabbix file:

zabbix    ALL=(root) NOPASSWD:       /bin/env SHELL=/bin/sh /usr/local/bin/zabbix_raid_discovery

and now subcommands called from zabbix_raid_discovery work.

A patch to fix this will be in sudo 1.8.15. From the maintainer, Todd Miller:

This is just a case of "it's always been like that".  There's not
really a good reason for it.  The diff below should make the behavior
match the documentation.

 - todd

diff -r adb927ad5e86 plugins/sudoers/env.c
--- a/plugins/sudoers/env.c     Tue Oct 06 09:33:27 2015 -0600
+++ b/plugins/sudoers/env.c     Tue Oct 06 10:04:03 2015 -0600
@@ -939,8 +939,6 @@
            CHECK_SETENV2("USERNAME", runas_pw->pw_name,
                ISSET(didvar, DID_USERNAME), true);
        } else {
-           if (!ISSET(didvar, DID_SHELL))
-               CHECK_SETENV2("SHELL", sudo_user.pw->pw_shell, false, true);
            /* We will set LOGNAME later in the def_set_logname case. */
            if (!def_set_logname) {
                if (!ISSET(didvar, DID_LOGNAME))
@@ -984,6 +982,8 @@
            if (!env_should_delete(*ep)) {
                if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
                    ps1 = *ep + 5;
+               else if (strncmp(*ep, "SHELL=", 6) == 0)
+                   SET(didvar, DID_SHELL);
                else if (strncmp(*ep, "PATH=", 5) == 0)
                    SET(didvar, DID_PATH);
                else if (strncmp(*ep, "TERM=", 5) == 0)
@@ -1039,7 +1039,9 @@
     if (reset_home)
        CHECK_SETENV2("HOME", runas_pw->pw_dir, true, true);

-    /* Provide default values for $TERM and $PATH if they are not set. */
+    /* Provide default values for $SHELL, $TERM and $PATH if not set. */
+    if (!ISSET(didvar, DID_SHELL))
+       CHECK_SETENV2("SHELL", runas_pw->pw_shell, false, false);
     if (!ISSET(didvar, DID_TERM))
        CHECK_PUTENV("TERM=unknown", false, false);
     if (!ISSET(didvar, DID_PATH))

Best Answer

Related Solutions

Bash – Prompt for Sudo Password and Programmatically Elevate Privilege in Bash Script

Bash – How to prevent the caller’s shell from being used in sudo

Related Question