Sudo Commands - Metasploit
This page contains detailed information about how to use the post/multi/recon/sudo_commands metasploit module. For list of all metasploit modules, visit the Metasploit Module Library.
Module Overview
Name: Sudo Commands
Module: post/multi/recon/sudo_commands
Source code: modules/post/multi/recon/sudo_commands.rb
Disclosure date: -
Last modification time: 2022-10-08 09:50:25 +0000
Supported architecture(s): -
Supported platform(s): BSD, Linux, OSX, Solaris, Unix
Target service / protocol: -
Target network port(s): -
List of CVEs: -
This module examines the sudoers configuration for the session user and lists the commands executable via sudo. This module also inspects each command and reports potential avenues for privileged code execution due to poor file system permissions or permitting execution of executables known to be useful for privesc, such as utilities designed for file read/write, user modification, or execution of arbitrary operating system commands. Note, you may need to provide the password for the session user.
Module Ranking and Traits
Module Ranking:
- normal: The exploit is otherwise reliable, but depends on a specific version and can't (or doesn't) reliably autodetect. More information about ranking can be found here.
Basic Usage
There are two ways to execute this post module.
From the Meterpreter prompt
The first is by using the "run" command at the Meterpreter prompt. It allows you to run the post module against that specific session:
meterpreter > run post/multi/recon/sudo_commands
From the msf prompt
The second is by using the "use" command at the msf prompt. You will have to figure out which session ID to set manually. To list all session IDs, you can use the "sessions" command.
msf > use post/multi/recon/sudo_commands
msf post(sudo_commands) > show options
... show and set options ...
msf post(sudo_commands) > set SESSION session-id
msf post(sudo_commands) > exploit
If you wish to run the post against all sessions from framework, here is how:
1 - Create the following resource script:
framework.sessions.each_pair do |sid, session|
run_single("use post/multi/recon/sudo_commands")
run_single("set SESSION #{sid}")
run_single("run")
end
2 - At the msf prompt, execute the above resource script:
msf > resource path-to-resource-script
Required Options
- SESSION: The session to run this module on.
Knowledge Base
Description
This module examines the sudoers configuration for the session user
and lists the commands executable via sudo
.
This module also inspects each command and reports potential avenues for privileged code execution due to poor file system permissions or permitting execution of executables known to be useful for privesc, such as utilities designed for file read/write, user modification, or execution of arbitrary operating system commands.
Note, you may need to provide the password for the session user.
Verification Steps
- Start
msfconsole
- Get a session
use post/multi/recon/sudo_commands
set SESSION [SESSION]
run
- You should receive a list of available
sudo
commands
Options
SESSION
Which session to use, which can be viewed with sessions
SUDO_PATH
Path to sudo executable (default: /usr/bin/sudo
)
PASSWORD
Password for the session user
Scenarios
msf5 > use post/multi/recon/sudo_commands
msf5 post(multi/recon/sudo_commands) > set session 1
session => 1
msf5 post(multi/recon/sudo_commands) > set verbose true
verbose => true
msf5 post(multi/recon/sudo_commands) > run
[*] Executing: /usr/bin/sudo -n -l
Matching Defaults entries for wvu on localhost:
!visiblepw, always_set_home, match_group_by_gid, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User wvu may run the following commands on localhost:
(ALL) ALL
(ALL) NOPASSWD: ALL
(root) /sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
(root) /sbin/shutdown -h now
[*] Command: "ALL" RunAsUsers: ALL
[+] sudo any command!
[*] Command: "ALL" RunAsUsers: ALL without providing a password
[+] sudo any command!
[*] Command: "/sbin/mount /mnt/cdrom" RunAsUsers: root
[*] Command: "/sbin/umount /mnt/cdrom" RunAsUsers: root
[*] Command: "/sbin/shutdown -h now" RunAsUsers: root
Sudo Commands
=============
Command RunAsUsers RunAsGroups Password? Privesc?
------- ---------- ----------- --------- --------
/sbin/mount /mnt/cdrom root True
/sbin/shutdown -h now root True
/sbin/umount /mnt/cdrom root True
ALL ALL True True
ALL ALL True
[+] Output stored in: /Users/user/.msf4/loot/20180613134731_default_192.168.56.101_sudo.commands_305964.txt
[*] Post module execution completed
msf5 post(multi/recon/sudo_commands) > cat /Users/user/.msf4/loot/20180613134731_default_192.168.56.101_sudo.commands_305964.txt
[*] exec: cat /Users/user/.msf4/loot/20180613134731_default_192.168.56.101_sudo.commands_305964.txt
Command,RunAsUsers,RunAsGroups,Password?,Privesc?
"/sbin/mount /mnt/cdrom","root","","True",""
"/sbin/shutdown -h now","root","","True",""
"/sbin/umount /mnt/cdrom","root","","True",""
"ALL","ALL","","True","True"
"ALL","ALL","","","True"
msf5 post(multi/recon/sudo_commands) >
Go back to menu.
Msfconsole Usage
Here is how the multi/recon/sudo_commands post exploitation module looks in the msfconsole:
msf6 > use post/multi/recon/sudo_commands
msf6 post(multi/recon/sudo_commands) > show info
Name: Sudo Commands
Module: post/multi/recon/sudo_commands
Platform: BSD, Linux, OSX, Solaris, Unix
Arch:
Rank: Normal
Provided by:
bcoles <[email protected]>
Compatible session types:
Meterpreter
Shell
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Password for the current user
SESSION yes The session to run this module on.
SUDO_PATH /usr/bin/sudo yes Path to sudo executable
Description:
This module examines the sudoers configuration for the session user
and lists the commands executable via sudo. This module also
inspects each command and reports potential avenues for privileged
code execution due to poor file system permissions or permitting
execution of executables known to be useful for privesc, such as
utilities designed for file read/write, user modification, or
execution of arbitrary operating system commands. Note, you may need
to provide the password for the session user.
Module Options
This is a complete list of options available in the multi/recon/sudo_commands post exploitation module:
msf6 post(multi/recon/sudo_commands) > show options
Module options (post/multi/recon/sudo_commands):
Name Current Setting Required Description
---- --------------- -------- -----------
PASSWORD no Password for the current user
SESSION yes The session to run this module on.
SUDO_PATH /usr/bin/sudo yes Path to sudo executable
Advanced Options
Here is a complete list of advanced options supported by the multi/recon/sudo_commands post exploitation module:
msf6 post(multi/recon/sudo_commands) > show advanced
Module advanced options (post/multi/recon/sudo_commands):
Name Current Setting Required Description
---- --------------- -------- -----------
VERBOSE false no Enable detailed status messages
WORKSPACE no Specify the workspace for this module
Post Actions
This is a list of all post exploitation actions which the multi/recon/sudo_commands module can do:
msf6 post(multi/recon/sudo_commands) > show actions
Post actions:
Name Description
---- -----------
Evasion Options
Here is the full list of possible evasion options supported by the multi/recon/sudo_commands post exploitation module in order to evade defenses (e.g. Antivirus, EDR, Firewall, NIDS etc.):
msf6 post(multi/recon/sudo_commands) > show evasion
Module evasion options:
Name Current Setting Required Description
---- --------------- -------- -----------
Go back to menu.
Error Messages
This module may fail with the following error messages:
- Could not parse sudoers entry: <LINE.INSPECT>
- Could not parse sudo command: <CMD.INSPECT>
- Could not parse sudo ouput: <E.MESSAGE>
- Session already has root privileges
- Could not find sudo executable
- Incorrect password
- Session user is not permitted to execute any commands with sudo
- Incorrect password, or the session user is not permitted to execute any commands with sudo
- Found no sudo commands for the session user
Check for the possible causes from the code snippets below found in the module source code. This can often times help in identifying the root cause of the problem.
Could not parse sudoers entry: <LINE.INSPECT>
Here is a relevant code snippet related to the "Could not parse sudoers entry: <LINE.INSPECT>" error message:
135:
136: formatted_data.split("\n").reject { |line| line.eql?('') }.each do |line|
137: run_as = line.scan(/^\((.+?)\)/).flatten.first
138:
139: if run_as.blank?
140: print_warning "Could not parse sudoers entry: #{line.inspect}"
141: next
142: end
143:
144: user = run_as.split(':')[0].to_s.strip || ''
145: group = run_as.split(':')[1].to_s.strip || ''
Could not parse sudo command: <CMD.INSPECT>
Here is a relevant code snippet related to the "Could not parse sudo command: <CMD.INSPECT>" error message:
162:
163: if cmd.start_with? '('
164: run_as = cmd.scan(/^\((.+?)\)/).flatten.first
165:
166: if run_as.blank?
167: print_warning "Could not parse sudo command: #{cmd.inspect}"
168: next
169: end
170:
171: user = run_as.split(':')[0].to_s.strip || ''
172: group = run_as.split(':')[1].to_s.strip || ''
Could not parse sudo ouput: <E.MESSAGE>
Here is a relevant code snippet related to the "Could not parse sudo ouput: <E.MESSAGE>" error message:
183:
184: @results << [cmd, user, group, no_passwd ? '' : 'True', eop ? 'True' : '']
185: end
186: end
187: rescue => e
188: print_error "Could not parse sudo ouput: #{e.message}"
189: end
190:
191: def run
192: if is_root?
193: fail_with Failure::BadConfig, 'Session already has root privileges'
Session already has root privileges
Here is a relevant code snippet related to the "Session already has root privileges" error message:
188: print_error "Could not parse sudo ouput: #{e.message}"
189: end
190:
191: def run
192: if is_root?
193: fail_with Failure::BadConfig, 'Session already has root privileges'
194: end
195:
196: unless is_executable? sudo_path
197: print_error 'Could not find sudo executable'
198: return
Could not find sudo executable
Here is a relevant code snippet related to the "Could not find sudo executable" error message:
192: if is_root?
193: fail_with Failure::BadConfig, 'Session already has root privileges'
194: end
195:
196: unless is_executable? sudo_path
197: print_error 'Could not find sudo executable'
198: return
199: end
200:
201: output = sudo_list
202: vprint_line output
Incorrect password
Here is a relevant code snippet related to the "Incorrect password" error message:
201: output = sudo_list
202: vprint_line output
203: vprint_line
204:
205: if output.include? 'Sorry, try again'
206: fail_with Failure::NoAccess, 'Incorrect password'
207: end
208:
209: if output =~ /^Sorry, .* may not run sudo/
210: fail_with Failure::NoAccess, 'Session user is not permitted to execute any commands with sudo'
211: end
Session user is not permitted to execute any commands with sudo
Here is a relevant code snippet related to the "Session user is not permitted to execute any commands with sudo" error message:
205: if output.include? 'Sorry, try again'
206: fail_with Failure::NoAccess, 'Incorrect password'
207: end
208:
209: if output =~ /^Sorry, .* may not run sudo/
210: fail_with Failure::NoAccess, 'Session user is not permitted to execute any commands with sudo'
211: end
212:
213: if output !~ /may run the following commands/
214: fail_with Failure::NoAccess, 'Incorrect password, or the session user is not permitted to execute any commands with sudo'
215: end
Incorrect password, or the session user is not permitted to execute any commands with sudo
Here is a relevant code snippet related to the "Incorrect password, or the session user is not permitted to execute any commands with sudo" error message:
209: if output =~ /^Sorry, .* may not run sudo/
210: fail_with Failure::NoAccess, 'Session user is not permitted to execute any commands with sudo'
211: end
212:
213: if output !~ /may run the following commands/
214: fail_with Failure::NoAccess, 'Incorrect password, or the session user is not permitted to execute any commands with sudo'
215: end
216:
217: @results = Rex::Text::Table.new(
218: 'Header' => 'Sudo Commands',
219: 'Indent' => 2,
Found no sudo commands for the session user
Here is a relevant code snippet related to the "Found no sudo commands for the session user" error message:
228: )
229:
230: parse_sudo output
231:
232: if @results.rows.empty?
233: print_status 'Found no sudo commands for the session user'
234: return
235: end
236:
237: print_line
238: print_line @results.to_s
Go back to menu.
Related Pull Requests
- #10910 Merged Pull Request: Use
writable?
method for local modules - #10021 Merged Pull Request: Add post/multi/recon/sudo_commands
Go back to menu.
See Also
Check also the following modules related to this module:
- post/multi/recon/local_exploit_suggester
- post/multi/recon/multiport_egress_traffic
- post/multi/recon/reverse_lookup
Authors
- bcoles
Version
This page has been produced using Metasploit Framework version 6.2.29-dev. For more modules, visit the Metasploit Module Library.
Go back to menu.