Skip to content

rvizx/sudo-mkdir-exploit

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits
Dockerfile
Dockerfile
 
 
README.md
README.md
 
 
exploit.sh
exploit.sh
 
 
run.sh
run.sh
 
 

Repository files navigation

sudo mkdir Privilege Escalation

Exploit code and Docker lab environment for the privilege escalation technique via sudo mkdir with bash completion.

Research

Full research and technical analysis: https://www.zyenra.com/blog/sudo-mkdir-privilege-escalation

Prerequisites

The attack exploits multiple components working together:

  1. Misconfigured sudo permissions: user ALL=(root) NOPASSWD: /bin/mkdir *
  2. The -m flag overrides umask: When using mkdir -m 777, the -m flag explicitly sets the mode to 777, ignoring umask. This creates world-writable directories regardless of umask settings
  3. Target directory doesn't exist: /etc/bash_completion.d/ must not already exist (it doesn't on many fresh installations)
  4. Bash completion auto-loading: Scripts in /etc/bash_completion.d/ are automatically sourced by root during interactive bash sessions

Proof of Concept

Proof of Concept

Quick Start

# Build and run Docker container
./run.sh

# SSH as ctfuser (to run exploit)
ssh -p 2222 ctfuser@localhost
# Password: ctfpassword

# Copy exploit script into container
docker cp exploit.sh mkdir-privesc-test:/tmp/

# SSH as root (to trigger payload)
ssh -p 2222 root@localhost
# Password: rootpassword

Files

  • exploit.sh - Automated exploitation script
  • Dockerfile - Vulnerable Docker environment
  • run.sh - Quick setup script

Author

Ravindu Wickramasinghe (@rvz)
Zyenra Security - https://www.zyenra.com

About

Research on `sudo mkdir *` based Privilege Escalation

Resources

Readme
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages