Exploiting Sudo Misconfiguration to Get Root Shell

If you are new to sudo, I have already written a post on the topic explaining what is sudo and how to use it. You can find the link here

I found only one lab suitable to demonstrate sudo vulnerability. Later in this series, you will see there are more labs that has sudo vulnerability and others that will be discussed later

You can find the lab here – https://attackdefense.com/challengedetails?cid=80

As usual, starting off finding the suid binaries to exploit and in this lab, you will realize that there are no unusual suid binaries

In the above screenshot, we found that sudo is installed in the system. So on checking sudo privileges sudo -l I found that the current logged in user can execute the /usr/bin/man command without entring password as root user

There are other tools in Linux man that allows you to execute commands internally

• vim
• nano
• man
• less
• more

Since man in this case can be executed with sudo, simply do man for man itself to open the manual

sudo /usr/bin/man man

Now, you need to press ESC and then execute the !/bin/bash -ip command in man to get the root user shell. The exclamation symbol (!) will tell the man to execute the command

Even if you are new to man utility, you can always look for exploitation techniques on GTFO Bins