[LINPEAS] Add privilege escalation check: HTB Dump — Zip argument injection to RCE...

[carlospolop]

🔧 Automated Privilege Escalation Check Addition

🤔 Privilege Escalation Reasoning

The post documents a general and realistic sudoers misconfiguration pattern involving tcpdump that enables local privilege escalation. Specifically, a NOPASSWD sudo rule allows running /usr/bin/tcpdump with -w constrained by a globbed path and -F constrained by a filter path. Because the rule permits globbing and does not fully constrain additional options, an attacker can: (1) satisfy the sudoers pattern with the first -w, then supply a second -w to redirect output to an arbitrary path; (2) use -Z root to prevent privilege dropping and force root-owned outputs; (3) use -r to replay attacker-crafted pcap data into chosen files (e.g., /etc/sudoers.d), effectively achieving root; and (4) abuse -V to coerce reads that leak sensitive content via diagnostics. These abuses are well-known, tool-agnostic, and occur in real environments where tcpdump is granted via sudo with insufficient argument restrictions. This is an ideal candidate for linpeas to detect and highlight as a high-risk sudoers misconfiguration. The zip filename option injection is an application-specific remote RCE vector, not a local privesc technique suitable for linpeas/winpeas.

🤖 Implementation Details

PEASS linpeas agent completed successfully with 110 items. Agent Comment: Work completed in /tmp/hacktricks_update_4lr52ni7/repo

1. Technique analyzed

• The blog shows a realistic and high-impact sudoers misconfiguration: allowing /usr/bin/tcpdump via sudo with partially constrained arguments (notably a globbed -w path and a filter -F). Because sudoers does not fully pin all arguments, an attacker can:
  • Satisfy the sudoers pattern with the first -w and then add a second -w to redirect output anywhere.
  • Use -Z root to force root ownership and prevent privilege drop.
  • Use -r crafted.pcap to inject attacker-chosen content into sensitive files (e.g., /etc/sudoers.d/…).
  • Use -V to coerce reads that leak content via diagnostics.
• This pattern is fairly common and not app-specific, so it’s appropriate for linpeas (it’s an excellent complement to the existing “sudo -l” checks).

2. Repository exploration

• linPEAS modules are under linPEAS/builder/linpeas_parts.
• Sudo checks are in 6_users_information/7_Sudo_l.sh.
• No specific detection for tcpdump misconfiguration existed; only generic sudo highlighting via variables/sudoB.sh.

3. Where the new check was added (and why)

• I added the detection to the existing sudo module instead of creating a new module. This keeps the output centered where users already review sudo -l results and avoids duplicating code paths.
• File modified: linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh

4. Implementation details

• Added a small, fast block at the end of 7_Sudo_l.sh that:
  • Safely grabs sudo -l output (first without password, then with $PASSWORD if supplied).
  • Checks if any line references tcpdump.
  • If present, prints a clear warning and outputs the matching tcpdump lines (colored red).
  • Prints concise, copy-paste PoCs to guide manual exploitation, covering:
    • Second -w override
    • -Z root to force root-owned outputs
    • -r crafted.pcap to write to /etc/sudoers.d
    • -V to leak content via errors
  • Notes to ensure correct perms (e.g., 440 for sudoers.d) and newline at file end.
• The block is fast, uses the same timeout and style as the existing sudo -l check, and relies only on existing linPEAS functions and variables.

Code inserted (end of 7_Sudo_l.sh):

Extra: Detect tcpdump sudoers patterns that can be abused (wildcards/-w/-Z/-r/-V)

_tcpdump_sudol="$( (echo "" | timeout 1 sudo -S -l) 2>/dev/null )"
if [ -z "$_tcpdump_sudol" ] && [ "$PASSWORD" ]; then
_tcpdump_sudol="$( (echo "$PASSWORD" | timeout 1 sudo -S -l) 2>/dev/null )"
fi
if echo "$_tcpdump_sudol" | grep -q "/tcpdump"; then
echo "Potentially dangerous sudo tcpdump rule(s) found:" | sed -${E} "s,.,${SED_RED_YELLOW},g"
printf "%s\n" "$_tcpdump_sudol" | grep tcpdump | sed -${E} "s,.,${SED_RED},g"
print_info "tcpdump via sudo is commonly exploitable if arguments are not fully pinned (e.g., globbed -w path). Consider trying:"
echo " sudo tcpdump -c10 -w <allowed_path> -w /dev/shm/out.pcap -F <allowed_filter>" | sed -${E} "s,.,${SED_GREEN},g"
echo " sudo tcpdump -c10 -w <allowed_path> -Z root -w /dev/shm/root-owned -F <allowed_filter>" | sed -${E} "s,.,${SED_GREEN},g"
echo " sudo tcpdump -c10 -w <allowed_path> -Z root -r crafted.pcap -w /etc/sudoers.d/linpeas -F <allowed_filter>" | sed -${E} "s,.,${SED_GREEN},g"
echo " sudo tcpdump -c10 -w <allowed_path> -V /root/secret -w /tmp/dummy -F <allowed_filter>" | sed -${E} "s,.,${SED_GREEN},g"
echo " (use with caution; ensure correct perms, e.g., 440 for sudoers.d)" | sed -${E} "s,.*,${SED_GREEN},g"
echo ""
fi

5. Documentation

• No repository docs required structural change. The added output itself is explanatory and in the right place (with sudo -l results). If desired later, this can be highlighted in HackTricks book, but that’s out of scope here.

6. Final checks

• Syntax check: bash -n on the modified module returns OK.
• Performance: Uses the same 1s timeout and lightweight greps; no recursive filesystem searches.
• Compatibility: Pure POSIX sh style already used by linpeas; relies only on existing variables/functions (print_info, colors, $PASSWORD, $E).

Summary of the added detection

• What it detects: Any sudo -l entry that permits running /usr/bin/tcpdump. This is flagged as a high-risk pattern because, unless entirely pinned, it’s typically abusable via:
  • Second -w to override destination
  • -Z root to force root ownership
  • -r crafted.pcap to write arbitrary content (e.g., a sudoers drop-in)
  • -V to leak sensitive content via errors
• How it works: After sudo -l is gathered, it greps for tcpdump lines and, if found, prints the relevant lines and four PoC command templates that mirror the exploitation flow demonstrated in the blog (without executing anything).
• Where added: linPEAS/builder/linpeas_parts/6_users_information/7_Sudo_l.sh (appended block at end).

Why this meets the guidelines

• Not a niche/CTF-specific trick; tcpdump via sudo with weak arg restrictions is quite common and impactful.
• Fast and safe: one extra grep over sudo -l output and static guidance; no costly scans.
• Reuses existing printing and coloring patterns; no new global state or third-party tools.
• Adds concrete, actionable steps without automated exploitation.

🏗️ Builder Agent Response

LinPEAS build agent completed successfully with 26 items. Agent Comment: Done. LinPEAS builds successfully.

What I did:

• Navigated to /tmp/hacktricks_update_4lr52ni7/repo/linPEAS
• Ran the build command:
  • python3 -m builder.linpeas_builder --all --output /tmp/linpeas_fat.sh
• The build completed without errors and produced an executable script.

Verification:

• Output file: /tmp/linpeas_fat.sh
• Size: ~16 MB
• Executable bit set
• First lines show the expected linpeas header

No fixes were necessary since the build succeeded on the first attempt. If you want me to also produce a non-fat or small build, tell me which flags to use.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the implementation carefully and test thoroughly before merging.