🟥secure_path

-

Examine secure_path with sudo -l

If the secure path is different from above, check for path hi-jacking or leveraging a binary the sudo privilege points to.

Example: sudo -l shows low-level user can run /usr/bin/bash /opt/check.sh

Check sudo visudo. You shouldn't have access as a low-level user, but it's the safe way to make edits to the sudoer's file as it checks for syntax errors.

sudoers file located at /etc/sudoers

Special Case: the bash test binary or '['

By default, all linux, bsd, unix system come with the [ binary located in /bin

[ binary at the very top of /bin

The [ or test binary in bash is used with boolean operators, commonly found in if-then stmts. Notice it has no absolute path, so it can be path hi-jacked, given the right case.

Example: secure_path (revealed by sudo -l) starts with /home/mcskidy

lower-level user can run a bash script that uses this [ binary.

This lower-level user could create an evil [ bash file, make it executable and privesc:

cd /home/mcskidy
nano '['
/bin/bash -p  #type into nano
Ctrl-x        #save file 
sudo /usr/bin/bash /opt/check.sh