Hal PomeranzYou have access to the vim text editor via sudo, but shell escapes are blocked. How do you escalate privileges to get an unfettered root shell without sudo?
Yesterday's Linux DFIR command line trivia asked what you can do to escalate privilege if you have sudo access to the vim text editor. The constraints are that shell escapes are disabled (see the "noexec" option to sudo) and your final privilege escalation path must not use sudo (because logging, y'all). Several people checked in with good ideas!
@steve and @millert (who knows a little something about sudo-- look it up) jumped in with a classic. Simply edit /etc/passwd and make your regular account UID 0 (or make yourself a new UID 0 account you can su into). Any account with UID 0 has root privs. You will need to log out and log back in again after making this change.
@millert and @timb_machine suggested setting up a root cron job to execute whatever commands you want-- just drop a new script into /etc/cron.hourly. For example, you could run commands as root to give you a set-UID copy of the shell:
cp /bin/bash /tmp/evil-bash
chown root:root /tmp/evil-bash
chmod 4555 /tmp/evil-bash
@rkervell went for editing a file like /etc/ld.so.conf and setting up an LD_PRELOAD style rootkit. Google "Linux LD_PRELOAD rootkit" for more background and some working examples.
@timb_machine checked in with a bunch of good ideas. For example, adding your own SSH public key to /root/.ssh/authorized_keys. You might also need to modify the "PermitRootLogin" setting in /etc/ssh/sshd_config, but once you have your key in authorized_keys you should be able to HUP the SSH server remotely to pick up the config change.
He also suggested making changes to other start-up files for the root user. For example, /root/.bashrc which will execute on every root shell execution (like the commands suggested for the evil cron job above). You might have to wait a bit for this to trigger though.
Tim also suggested using vim to overwrite an existing set-UID binary. For example, once you run "sudo vim" you could:
:r /bin/bash
:w! /usr/bin/chfn
:q
Then you should be able to execute "/usr/bin/chfn -p" and get your root shell.
That's a bunch of good ideas so far. One other idea I can think of is to modify the system PAM configuration. I'd have to fully research this idea, but you should be able to modify /etc/pam.d/su to remove the authentication requirement.
So the takeaway here is never give anybody root access to a text editor. Even if they don't directly shell escape, there's a lot of evil they can do!
James Blanding@hal_pomeranz To be fair, it was @rkervell who suggested messing with dynamic loading. My suggestion was to overwrite the vim binary. 😅
Ann K.@hal_pomeranz Edit /etc/sudoers?
Jejo@piquant00
I have a similar issue in an old pc. Can't find the password for sudo.
Can't update Linux, can't even reinstall it since I can't boot from the USB pretty crazy
#linuxhelp
@hal_pomeranz
I have a similar issue in an old pc. Can't find the password for sudo.
Can't update Linux, can't even reinstall it since I can't boot from the USB pretty crazy
#linuxhelp
@hal_pomeranz
@away2thestars @piquant00 https://linoxide.com/boot-root-shell-prompting-password/ - Once you are at the root prompt, edit /etc/shadow and remove the password hash for the root account. Reboot the system normally and you will be able to log in as root without entering a password.
Blake Regan@hal_pomeranz @away2thestars @mastodon.gamedev.place @piquant00
Not quite the same, but similar - at a former role working in an IA lab, while rotating root password on Solaris 10, we fat fingered the new phrase twice and got locked out of root.
I was able to use the low level OS on the Sun box to find the proper sector where the OS partition was and then mount it to boot into single user mode.
From there we edited the shadow file and cleared out the root password hash, saved, then shutdown single user mode and booted back into the proper OS, then sudo'd to root with no password, then changed the password using passwd.
That was a lot of fun.
@crash0ver1d3 @away2thestars @piquant00 Then there was that time in the early 90’s when I had to walk a graveyard shift operator through editing the fstab using “ed”. File got corrupted and /usr wouldn’t mount. So we had old school Unix /sbin only— “ed” but no “vi”.
@hal_pomeranz @piquant00 how can I get the root prompt though since there isnt/haven't got passwd to root 🥲
@away2thestars @piquant00 Just enter "root" as your username to log in, or if you're logged in as a regular user just use "su".
@away2thestars If you properly removed the password hash for the root account in /etc/shadow you should not even be prompted for a password.
@hal_pomeranz
I can see a shadow file I can't edit it since I'm not root
I can see a shadow file I can't edit it since I'm not root
@away2thestars Oh I understand now. You need to reboot your system (power it off and on if necessary) and follow the advice in the original article I linked to. You will boot into a bash shell running as root and can edit /etc/shadow from there.
"su" doesn't work on *buntu which has the root account disabled by default.
@piquant00 Right, but I want a way to get root without sudo.
@hal_pomeranz
If you're using a distro where the root account is locked the only way I know is to use "sudo passwd root" to enable the root account. I'm far from being a 1337 h4x0r though, so it wouldn't surprise me if there's a more hacky way.
If you're using a distro where the root account is locked the only way I know is to use "sudo passwd root" to enable the root account. I'm far from being a 1337 h4x0r though, so it wouldn't surprise me if there's a more hacky way.
Todd C. Miller@hal_pomeranz Easiest is to just edit /etc/password and create another uid zero account with no password (or make a password in /etc/shadow), then su to it. Of course you could just edit /etc/sudoers or create a new file in /etc/sudoers.d too but you said without sudo so...
Steve Gibson 
@hal_pomeranz
Edit /etc/passwd and change your UID to 0
Edit /etc/passwd and change your UID to 0
@hal_pomeranz Another fun one is to edit /etc/crontab (or one of the scripts it runs) and add whatever shell commands you desire. The sky's the limit...
D C Ross:e /etc/shadow
(Evil is added here: Remove or replace the root password)
:w!
:q
su
(Fun shall now commence)
JDN6 Ⓥsu -c “command string” -l
rkvl@hal_pomeranz modify the dynamic linker/loader to preload a lib you planted.
@hal_pomeranz Open the vim binary in vim via sudo, then rewrite its contents with the contents of some other binary...or I guess even a small script that exec's a shell, since sudo will just run it regardless (I think)...
furicle@hal_pomeranz edit .vimrc to run a shell and source it by restarting vim?
Edit /etc/shadow?
Edit /etc/shadow?
Scott Leggett 
silverwizard@hal_pomeranz @smlx It means you can do the obvious thing of !sh or whatever, means you need to mostly use vi as intended rather than as a shell
Alexandre Oliva (moved to @edit /usr/bin/vi and turn it into a shell script that runs an interactive shell? you got one shot ;-)