Exectuting sudo command in one line within a non-tty shell

Question

I have access to a server via RCE over http. I can send post requests to the server which results in command execution. I am attempting to escalate privileges via sudo (su is not installed).

The server is heavily firewalled with egress filters and there are no writeable directories/files within the web application.

My objective is to experiment with the sudo command to escalate privileges but because the command execution is not TTY; I am unable to execute the sudo command.

Is it possible to execute a command like sudo -S in a non-TTY shell?

Maybe using python's pty module to spawn /bin/bash or /bin/sh, but what about a method to just execute a single binary with some parameters passed to it like sudo -S <command> within/as a TTY shell?

To summarize: Is there a way to run sudo in a single line in a non-TTY shell?

For example I am trying to run sudo with these parameters:

echo <password> | sudo -u root -S id

When I execute the above command I receive the following output:

sudo: sorry, you must have a tty to run sudo

Can yo uread the output of commands? If so, can you enter what `sudo -ll` prints? — , Apr 11 '20 at 23:15
Does the host have `ssh` installed? If so, you could use `ssh -t localhost sudo ...` to ssh to yourself and execute sudo via tty. — , Apr 11 '20 at 23:23

score 2 · Answer 1 · answered Apr 12 '20 at 20:33

There are probably a few different ways to approach this problem, but I believe I found a simple way around it that is no different from what you'd do normally to upgrade a shell to a full-fledged pty.

First, the reason you are encountering this error is due to the Defaults requiretty setting in /etc/sudoers. It seems this option is outdated, and is already likely removed/slated to be removed from the default configuration on most distros.

I created a test user "shudo" with password "shudo" who is allowed to sudo to root to run the command id, and enabled the requiretty option. Here's what happens when "shudo" tries to sudo from a netcat shell:

sudo id
sudo: sorry, you must have a tty to run sudo

To get around this, let's try a typical PTY upgrade using Python:

echo -e "sudo id\nshudo" | python -c 'import pty;pty.spawn("/bin/bash")'

There's probably a way to do it with the -S option, but it's not needed. This spawns a new PTY to run /bin/bash, which receives the sudo command and password as standard in.

Here's the output:

echo -e "sudo id\nshudo" | python -c 'import pty;pty.spawn("/bin/bash")'
shudo@mymachine:/tmp$ sudo id
[sudo] password for shudo: 
uid=0(root) gid=0(root) groups=0(root)

You can see the new shell is spawned, sudo is executed, and the command is run as root! Note that this did leave my shell in a bad state since stdin is tied to the pipe, but it should be sufficient for a PoC.

score 0 · Answer 2 · edited Apr 12 '20 at 19:14

0

The problem here is that the "sudo" command is trying to invoke the password prompt, however since you're not running a "real" tty / shell, that doesn't work.

Here is the solution that should fix this, from Stack Overflow.

edited Apr 12 '20 at 19:14

Community

1

answered Apr 11 '20 at 23:24

Max O

101
3

Could you provide a example pertaining to this question, if so I will accept your answer. – dd_doriz Apr 11 '20 at 23:34
This solution does not work because it still prompts for the command to be executed. – dd_doriz Apr 12 '20 at 00:19
By command, do you mean the argument parameters? If a password prompt is required by the OS, then you'll need the password to execute it. – Max O Apr 12 '20 at 00:50
The password is is entered from stdin but the command is not executed correctly. – dd_doriz Apr 12 '20 at 00:56
Consider including the relevant parts from that link by editing your answer. – multithr3at3d Apr 12 '20 at 20:23

Exectuting sudo command in one line within a non-tty shell

2 Answers2