Linux Privilege Elevation: Breaking out of Sudo with GTFOBins

Linux is all about files and commands and without something like sudo, security is all or nothing. You have monolithic root access, or you don’t. Sudo attempts to impose a more granular approach to privileged access in Linux by limiting which commands you can run with root access by crafting a sudoers file, which in effect allows an organization to delegate specific privileged functions to specific users.

The simplest sudoers policy specifies a user or group and the name of the binary they are allowed to run as root.

But you have to go further than the command. Much further.

To begin with, many commands naturally have more than one function. For example, moduser has different functions for unlocking a user account and for changing its password. If you want to give someone the ability to unlock user accounts without allowing them to also change their password and subsequently logon as that user, you have to add those parameter restrictions to the sudoers entry for that command.

But that’s just the beginning of the story.

There are hundreds of binaries in Linux that provide the ability to run arbitrary commands or even open interactive shells. And these are not unusual commands that users seldom need. Text editors like vi and nano and very common binaries like tar (file compression) and even man (for displaying documentation) can be used to gain access to interactive shells with root access.

To be clear, these are not vulnerabilities per se that can just be patched – they are in most cases intended functions of each binary.

In this real training for free event, we used a valuable project called GTFOBins to explore the many ways that a too simplistic implementation of sudo can be bypassed by a knowledgeable attacker or a determined user.

Randy showed live demonstration examples of bypassing a simplistic sudoers file and then show you how to fix the bypass.

After that. we discussed strategies for thoroughly implementing least privilege on Linux.

BeyondTrust was the sponsor for this event and the very knowledgeable Patrick Schieder helped Randy put this technical deep dive together. Patrick briefly showed:

• A brief overview of BeyondTrust Endpoint Privilege Management for Linux (EPML), now offered as a SaaS solution.
• Centralized management of Endpoint policy in SaaS, with event logging and audit recording of activities.
• Explore how BeyondTrust EPML can improve the security of Linux commands and mitigate common workaround option as published in GTFOBins.