Academy > Linux Privilege Escalation > Sudo > User cannot run sudoedit

HTB Content Academy
,
1

I’m running into an issue with the Sudo module of linux priv esc in HTB academy. I compiled the CVE-2021-3156 “Sudo Hax Me a Sandwhich” and successfully got it on the machine via scp. However, when I run it I get an error along the lines of HTB-Student not allowed to run sudoedit as root.

Am I using the wrong exploit?

7

hi did you resolve this issue? im stuck in this

8

For some reason, they cleared out all the replies to this thread. But basically, google what you can do with your sudo:

sudo -l
[...]

You don’t need to compile and run an actual exploit

9

And read the manual!

1 Like
10

Hello. I am stuck also here. Found that I can use /bin/ncdu as root with “sudo -u#-1 /bin/ncdu” and than I was able to enumerate with dir command the root folder, but how I am supposed to read the flag.txt ? I read the manual for ncdu , and spot some commands for -f or -o but nothing. Any help ?

1 Like
11

You are on the right track!

But as @Anass0X hints and as you will often hear it in the IT industry:
RTFM or Read The F… Manual…

There are more options that you may call with ncdu, but just like vi, it’s not only the flags you add when you start the application from the command line…

1 Like
12

So, I spawn a shell, become root, try to read flag.txt but found a content with lists with nested dictionaries, which I guess is not the normal content of the flags. Do I miss something?

13

Well, most of the time, in my experience with HTB, there are three main types of flags:

  • <some_random_chars>flag.txt or flag<some_random_chars>.txt, which means you have to ls to know the right name of the flag to cat it,
  • /root/flag.txt or C:\Users\Administrator\Desktop\flag.txt,
  • right in the folder you popped your shell in, you can find a flag.

Have you tried the most obvious one, knowing that this is about PrivEsc on a linux machine ?

14

I reset the machine and was able to cat the flag. Thanks all :slight_smile:

16

screenshot2
anyone else facing this error??
I transfer the whole tool with scp bu i cannot use make.
Also I cannot use “sudo -l”…

Edit 1: Also after using make on my system and transfer it again. i can’t even use sudo-hax-me-a-sandwich

Edit 2:

Screenshot from 2023-10-22 18-03-11
Screenshot from 2023-10-22 18-03-11763×88 14 KB

18

go to ? and see how to spawn shell on the current directory

1 Like
19

read ncdu man pages to check all the runtime options

20

One important tipp I have is:
The help that opens in ncdu with ? is scrolable. There is more text than the one you see when you only press ?

22

who to spawn a shell

24

Remember to check the full options for the output for “sudo -l”
and one of them can help you

25

GTFOBins! :smiley:

26

Am I missing something? I’m aware of how to use the sudo binary and get a shell, but it’s unclear how to proceed from that. It’s also seems to be a box from a previous exercise, so wondering if this is even the right environment.

27

Are you still facing this issue?

28

Here is what I did to resolve this :
1-sudo -l (to see what I can do with the highest privileges)
2-Try to find the full path of ncdu on the system (you can use the command whereis)
3- sudo -u#-1 /u**/bin/ncdu /home/htb-student/
4-After running the above command, just type the “b” letter on your keybord. Because reading the manual page of ncdu command I found out the “b” will allow us to open a new shell terminal on the system. It was not very intuitive for me. And I spent lot of time on that.

Cheers,
Lol4

9 Likes
29

lol4’s answer is 100% the best solution for the lab. but you can also compile cve-2021-3156 on a different machine with make / gcc. i use docker for this with an image matching the target lab system (i highly suggest people do the same thing and set up docker when they need to compile other exploits for other labs). then just transfer it to the system and itll work with the right option