<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Sudo on LEIKAH</title><link>https://leikah.haoyingcao.xyz/en/tags/sudo/</link><description>Recent content in Sudo on LEIKAH</description><generator>Hugo</generator><language>en</language><atom:link href="https://leikah.haoyingcao.xyz/en/tags/sudo/index.xml" rel="self" type="application/rss+xml"/><item><title>Sudo</title><link>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/permission/sudo/</link><pubDate>Mon, 01 Jan 0001 00:00:00 +0000</pubDate><guid>https://leikah.haoyingcao.xyz/en/docs/priv_esc/linux/permission/sudo/</guid><description>&lt;p&gt;Sudo privileges can be granted to an account, permitting the account to run certain commands in the context of root or another account. When &lt;code&gt;sudo&lt;/code&gt; is prepended to a command, the system will check if the user issuing the command has the appropriate rights as configured in &lt;code&gt;/etc/sudoers&lt;/code&gt; file.&lt;/p&gt;
&lt;p&gt;Sudo privileges can be enumerated using &lt;code&gt;sudo -l&lt;/code&gt;:&lt;/p&gt;
&lt;ul&gt;
&lt;li&gt;Sometimes running this command requires us to provide the user&amp;rsquo;s password.&lt;/li&gt;
&lt;li&gt;If an entry is marked with &lt;code&gt;NOPASSWD&lt;/code&gt;, we can run the command without providing the user&amp;rsquo;s password.&lt;/li&gt;
&lt;/ul&gt;
&lt;div class="highlight"&gt;&lt;pre tabindex="0" style="color:#d8dee9;background-color:#2e3440;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"&gt;&lt;code class="language-shell-session" data-lang="shell-session"&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;john@NIX02:~$ sudo -l
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bf616a"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;Matching Defaults entries for john on NIX02:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;&lt;span style="color:#bf616a"&gt;
&lt;/span&gt;&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt;User john may run the following commands on NIX02:
&lt;/span&gt;&lt;/span&gt;&lt;span style="display:flex;"&gt;&lt;span&gt; (root) NOPASSWD: /usr/sbin/tcpdump
&lt;/span&gt;&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;&lt;/div&gt;&lt;p&gt;From here, the goal is to &lt;strong&gt;execute command from the program we are allowed to run&lt;/strong&gt;. We can make use of resources such as &lt;a href="https://gtfobins.org/"&gt;GTFOBins&lt;/a&gt; to find options and other ways to execute command as &lt;code&gt;root&lt;/code&gt;, or research vulnerabilities the specific version of the installed executable listed above.&lt;/p&gt;</description></item></channel></rss>