InfoSec LAB

Previse_Sudo_Privileges_m4lwhere

Created: 3 min read

m4lwhere

Checking for sudo privileges of the m4lwhere user after making lateral movement

m4lwhere@previse:~$ sudo -l
[sudo] password for m4lwhere: 
user m4lwhere may run the following commands on previse:
    (root) /opt/scripts/access_backup.sh

The m4lwhere user is able to execute the /opt/scripts/access_backup.sh command as the root user with sudo privileges

/opt/scripts/access_backup.sh

m4lwhere@previse:~$ ll /opt/scripts/access_backup.sh
-rwxr-xr-x 1 root root 486 Jun  6  2021 /opt/scripts/access_backup.sh*
 
m4lwhere@previse:~$ cat /opt/scripts/access_backup.sh
#!/bin/bash
 
# We always make sure to store logs, we take security SERIOUSLY here
 
# I know I shouldnt run this as root but I cant figure it out programmatically on my account
# This is configured to run with cron, added to sudo so I can run as needed - we'll fix it later when there's time
 
gzip -c /var/log/apache2/access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_access.gz
gzip -c /var/www/file_access.log > /var/backups/$(date --date="yesterday" +%Y%b%d)_file_access.gz

While this Bash script appears to be part of the web application as it archives the Apache log, it contains some interesting comments According to the comments, the script is configured to run with cron

Mainly, the Bash script uses gzip for archiving operation However, it is important to note that it uses gzip WITHOUT an absolute path

Path Hijacking

It doesn’t seem like the sudoers configuration options has any restriction set for environment variables either. such as env_reset, mail_badpass, secure_path, and more those are called sudoers options

some of the examples are:

  1. env_reset: This option resets the environment to a default state specified in the sudoers file, ignoring any environment variables that the user may have set. This prevents the user from injecting their own environment variables into the sudo command.
  2. env_delete: This option deletes specified environment variables from the user’s environment before executing the command. This can help prevent users from using certain environment variables to gain elevated privileges.
  3. env_check: This option specifies a list of environment variables that are allowed to be passed through to the command. Any environment variable not in the list is removed from the user’s environment.
  4. secure_path: This option specifies a list of directories that are secure for executing commands with elevated privileges. Any commands executed with sudo that are not in one of these directories will be rejected.
  5. sudoedit: This option restricts the use of the sudoedit command to specific files, preventing users from editing arbitrary files with elevated privileges.
  6. requiretty: This option requires that the user be logged in on a tty (terminal) in order to execute commands with elevated privileges. This can help prevent certain types of attacks, such as those that rely on a user being logged in remotely.

Failure to set up a proper sudo configuration results allowing an attacker to set his own $PATH variable to get code execution

Moving on to Privilege Escalation phase

Interactive Graph View

Backlinks