Sudo Commands - Metasploit

This page contains detailed information about how to use the post/multi/recon/sudo_commands metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.

Module Overview

Name: Sudo Commands
Module: post/multi/recon/sudo_commands
Source code: modules/post/multi/recon/sudo_commands.rb
Disclosure date: -
Last modification time: 2022-10-08 09:50:25 +0000
Supported architecture(s): -
Supported platform(s): BSD, Linux, OSX, Solaris, Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: -

This module examines the sudoers configuration for the session user and lists the commands executable via sudo. This module also inspects each command and reports potential avenues for privileged code execution due to poor file system permissions or permitting execution of executables known to be useful for privesc, such as utilities designed for file read/write, user modification, or execution of arbitrary operating system commands. Note, you may need to provide the password for the session user.

Module Ranking and Traits

Module Ranking:

• normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.

Basic Usage

There are two ways to execute this post module.

From the Meterpreter prompt

The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:

meterpreter > run post/multi/recon/sudo_commands

From the msf prompt

The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.

msf > use post/multi/recon/sudo_commands
msf post(sudo_commands) > show options
    ... show and set options ...
msf post(sudo_commands) > set SESSION session-id
msf post(sudo_commands) > exploit

If you wish to run the post against all sessions from framework, here is how:

1 - Create the following resource script:

framework.sessions.each_pair do |sid, session|
  run_single("use post/multi/recon/sudo_commands")
  run_single("set SESSION #{sid}")
  run_single("run")
end

2 - At the msf prompt, execute the above resource script:

msf > resource path-to-resource-script

Required Options

• SESSION: The session to run this module on.

Knowledge Base

  msf5 > use post/multi/recon/sudo_commands
  msf5 post(multi/recon/sudo_commands) > set session 1
  session => 1
  msf5 post(multi/recon/sudo_commands) > set verbose true
  verbose => true
  msf5 post(multi/recon/sudo_commands) > run

  [*] Executing: /usr/bin/sudo -n -l
  Matching Defaults entries for wvu on localhost:
      !visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

  User wvu may run the following commands on localhost:
      (ALL) ALL
      (ALL) NOPASSWD: ALL
      (root) /sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
      (root) /sbin/shutdown -h now

  [*] Command: "ALL" RunAsUsers: ALL
  [+] sudo any command!
  [*] Command: "ALL" RunAsUsers: ALL without providing a password
  [+] sudo any command!
  [*] Command: "/sbin/mount /mnt/cdrom" RunAsUsers: root
  [*] Command: "/sbin/umount /mnt/cdrom" RunAsUsers: root
  [*] Command: "/sbin/shutdown -h now" RunAsUsers: root

  Sudo Commands
  =============

    Command                  RunAsUsers  RunAsGroups  Password?  Privesc?
    -------                  ----------  -----------  ---------  --------
    /sbin/mount /mnt/cdrom   root                     True
    /sbin/shutdown -h now    root                     True
    /sbin/umount /mnt/cdrom  root                     True
    ALL                      ALL                      True       True
    ALL                      ALL                                 True

  [+] Output stored in: /Users/user/.msf4/loot/20180613134731_default_192.168.56.101_sudo.commands_305964.txt
  [*] Post module execution completed
  msf5 post(multi/recon/sudo_commands) > cat /Users/user/.msf4/loot/20180613134731_default_192.168.56.101_sudo.commands_305964.txt
  [*] exec: cat /Users/user/.msf4/loot/20180613134731_default_192.168.56.101_sudo.commands_305964.txt

  Command,RunAsUsers,RunAsGroups,Password?,Privesc?
  "/sbin/mount /mnt/cdrom","root","","True",""
  "/sbin/shutdown -h now","root","","True",""
  "/sbin/umount /mnt/cdrom","root","","True",""
  "ALL","ALL","","True","True"
  "ALL","ALL","","","True"
  msf5 post(multi/recon/sudo_commands) >

Go back to menu.

Msfconsole Usage

Here is how the multi/recon/sudo_commands post exploitation module looks in the msfconsole:

msf6 > use post/multi/recon/sudo_commands

msf6 post(multi/recon/sudo_commands) > show info

       Name: Sudo Commands
     Module: post/multi/recon/sudo_commands
   Platform: BSD, Linux, OSX, Solaris, Unix
       Arch: 
       Rank: Normal

Provided by:
  bcoles <[email protected]>

Compatible session types:
  Meterpreter
  Shell

Basic options:
  Name       Current Setting  Required  Description
  ----       ---------------  --------  -----------
  PASSWORD                    no        Password for the current user
  SESSION                     yes       The session to run this module on.
  SUDO_PATH  /usr/bin/sudo    yes       Path to sudo executable

Description:
  This module examines the sudoers configuration for the session user 
  and lists the commands executable via sudo. This module also 
  inspects each command and reports potential avenues for privileged 
  code execution due to poor file system permissions or permitting 
  execution of executables known to be useful for privesc, such as 
  utilities designed for file read/write, user modification, or 
  execution of arbitrary operating system commands. Note, you may need 
  to provide the password for the session user.

Module Options

This is a complete list of options available in the multi/recon/sudo_commands post exploitation module:

msf6 post(multi/recon/sudo_commands) > show options

Module options (post/multi/recon/sudo_commands):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD                    no        Password for the current user
   SESSION                     yes       The session to run this module on.
   SUDO_PATH  /usr/bin/sudo    yes       Path to sudo executable

Advanced Options

Here is a complete list of advanced options supported by the multi/recon/sudo_commands post exploitation module:

msf6 post(multi/recon/sudo_commands) > show advanced

Module advanced options (post/multi/recon/sudo_commands):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   VERBOSE    false            no        Enable detailed status messages
   WORKSPACE                   no        Specify the workspace for this module

Post Actions

This is a list of all post exploitation actions which the multi/recon/sudo_commands module can do:

msf6 post(multi/recon/sudo_commands) > show actions

Post actions:

   Name  Description
   ----  -----------

Evasion Options

Here is the full list of possible evasion options supported by the multi/recon/sudo_commands post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):

msf6 post(multi/recon/sudo_commands) > show evasion

Module evasion options:

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------

Go back to menu.

Error Messages

This module may fail with the following error messages:

Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.

Could not parse sudoers entry: <LINE.INSPECT>

Here is a relevant code snippet related to the "Could not parse sudoers entry: <LINE.INSPECT>" error message:

135:	
136:	    formatted_data.split("\n").reject { |line| line.eql?('') }.each do |line|
137:	      run_as = line.scan(/^\((.+?)\)/).flatten.first
138:	
139:	      if run_as.blank?
140:	        print_warning "Could not parse sudoers entry: #{line.inspect}"
141:	        next
142:	      end
143:	
144:	      user = run_as.split(':')[0].to_s.strip || ''
145:	      group = run_as.split(':')[1].to_s.strip || ''

Could not parse sudo command: <CMD.INSPECT>

Here is a relevant code snippet related to the "Could not parse sudo command: <CMD.INSPECT>" error message:

162:	
163:	        if cmd.start_with? '('
164:	          run_as = cmd.scan(/^\((.+?)\)/).flatten.first
165:	
166:	          if run_as.blank?
167:	            print_warning "Could not parse sudo command: #{cmd.inspect}"
168:	            next
169:	          end
170:	
171:	          user = run_as.split(':')[0].to_s.strip || ''
172:	          group = run_as.split(':')[1].to_s.strip || ''

Could not parse sudo ouput: <E.MESSAGE>

Here is a relevant code snippet related to the "Could not parse sudo ouput: <E.MESSAGE>" error message:

183:	
184:	        @results << [cmd, user, group, no_passwd ? '' : 'True', eop ? 'True' : '']
185:	      end
186:	    end
187:	  rescue => e
188:	    print_error "Could not parse sudo ouput: #{e.message}"
189:	  end
190:	
191:	  def run
192:	    if is_root?
193:	      fail_with Failure::BadConfig, 'Session already has root privileges'

Session already has root privileges

Here is a relevant code snippet related to the "Session already has root privileges" error message:

188:	    print_error "Could not parse sudo ouput: #{e.message}"
189:	  end
190:	
191:	  def run
192:	    if is_root?
193:	      fail_with Failure::BadConfig, 'Session already has root privileges'
194:	    end
195:	
196:	    unless is_executable? sudo_path
197:	      print_error 'Could not find sudo executable'
198:	      return

Could not find sudo executable

Here is a relevant code snippet related to the "Could not find sudo executable" error message:

192:	    if is_root?
193:	      fail_with Failure::BadConfig, 'Session already has root privileges'
194:	    end
195:	
196:	    unless is_executable? sudo_path
197:	      print_error 'Could not find sudo executable'
198:	      return
199:	    end
200:	
201:	    output = sudo_list
202:	    vprint_line output

Incorrect password

Here is a relevant code snippet related to the "Incorrect password" error message:

201:	    output = sudo_list
202:	    vprint_line output
203:	    vprint_line
204:	
205:	    if output.include? 'Sorry, try again'
206:	      fail_with Failure::NoAccess, 'Incorrect password'
207:	    end
208:	
209:	    if output =~ /^Sorry, .* may not run sudo/
210:	      fail_with Failure::NoAccess, 'Session user is not permitted to execute any commands with sudo'
211:	    end

Session user is not permitted to execute any commands with sudo

Here is a relevant code snippet related to the "Session user is not permitted to execute any commands with sudo" error message:

205:	    if output.include? 'Sorry, try again'
206:	      fail_with Failure::NoAccess, 'Incorrect password'
207:	    end
208:	
209:	    if output =~ /^Sorry, .* may not run sudo/
210:	      fail_with Failure::NoAccess, 'Session user is not permitted to execute any commands with sudo'
211:	    end
212:	
213:	    if output !~ /may run the following commands/
214:	      fail_with Failure::NoAccess, 'Incorrect password, or the session user is not permitted to execute any commands with sudo'
215:	    end

Incorrect password, or the session user is not permitted to execute any commands with sudo

Here is a relevant code snippet related to the "Incorrect password, or the session user is not permitted to execute any commands with sudo" error message:

209:	    if output =~ /^Sorry, .* may not run sudo/
210:	      fail_with Failure::NoAccess, 'Session user is not permitted to execute any commands with sudo'
211:	    end
212:	
213:	    if output !~ /may run the following commands/
214:	      fail_with Failure::NoAccess, 'Incorrect password, or the session user is not permitted to execute any commands with sudo'
215:	    end
216:	
217:	    @results = Rex::Text::Table.new(
218:	      'Header'  => 'Sudo Commands',
219:	      'Indent'  => 2,

Found no sudo commands for the session user

Here is a relevant code snippet related to the "Found no sudo commands for the session user" error message:

228:	    )
229:	
230:	    parse_sudo output
231:	
232:	    if @results.rows.empty?
233:	      print_status 'Found no sudo commands for the session user'
234:	      return
235:	    end
236:	
237:	    print_line
238:	    print_line @results.to_s

Go back to menu.

Related Pull Requests

• #10910 Merged Pull Request: Use writable? method for local modules
• #10021 Merged Pull Request: Add post/multi/recon/sudo_commands

Go back to menu.

See Also

Check also the following modules related to this module:

• post/multi/recon/local_exploit_suggester
• post/multi/recon/multiport_egress_traffic
• post/multi/recon/reverse_lookup

Authors

• bcoles

Version

This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.

Go back to menu.