Browse CTFs New CTF Sign in

Detecting Sudo Abuse Through GTFOBins Traces and Sudoers Modification Forensics

web_auth_sessions Difficulty 1–5 30 min certifiable

Theory

Why This Matters

sudo is the primary privilege delegation mechanism on Linux, and misconfigured sudo rules are among the most exploited local privilege escalation vectors in CTF challenges and real-world incidents alike. The GTFOBins project documents hundreds of Linux binaries that, when granted via sudo, allow trivial root shell access — many of which appear innocent to administrators who granted them for legitimate purposes. Forensic analysis of sudo abuse is therefore central to understanding a large proportion of Linux post-exploitation activity.

Core Concept

sudo (superuser do) executes commands as another user (typically root) based on policy defined in /etc/sudoers and files under /etc/sudoers.d/. The policy specifies which users may run which commands as which target users. Misconfigurations that enable privilege escalation include:

  • (ALL) NOPASSWD: ALL: user can run any command as root without a password — direct root access.
  • Interpreter binaries (python, perl, ruby, lua, awk, vim, less, man, find, cp, mv): most allow spawning an interactive shell or executing arbitrary code when run as root. See GTFOBins for specific invocations.
  • env_keep abuse: sudo strips environment variables by default. If env_keep+=LD_PRELOAD is set, a user can inject a shared library into any root-run command.
  • sudoedit vulnerabilities: CVE-2021-3156 (Baron Samedit) and CVE-2019-14287 allowed privilege escalation via sudo -u#-1 and sudoedit heap overflow respectively.

Forensic artefacts: sudo generates entries in /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL) in the format: Mar 15 10:23:44 host sudo: user : TTY=pts/0 ; PWD=/home/user ; USER=root ; COMMAND=/usr/bin/python3

Technical Deep-Dive

# Parse sudo commands from auth.log
grep " sudo:" /var/log/auth.log | grep "COMMAND" 
  | awk -F"COMMAND=" '''{print $2}''' | sort | uniq -c | sort -rn

# Identify GTFOBins-relevant commands in sudo history
GTFOBINS="python|perl|ruby|lua|awk|vim|less|more|man|find|cp|mv|tee|dd|bash|sh|env|nmap|zip|tar"
grep " sudo:" /var/log/auth.log | grep "COMMAND" 
  | grep -E "$GTFOBINS"

# Check current sudoers for dangerous rules
sudo cat /etc/sudoers 2>/dev/null | grep -vE "^#|^$" | grep -E "(ALL|NOPASSWD)"
sudo find /etc/sudoers.d/ -type f -exec grep -l "NOPASSWD|ALL" {} ;

# Check sudo -l enumeration in auditd (attackers run this to discover privileges)
ausearch -m EXECVE --interpret 2>/dev/null 
  | grep -A2 "sudo" | grep "-l"

# Or in bash history
grep -r "sudo -l" /home/*/.bash_history /root/.bash_history 2>/dev/null

-- Splunk (syslog-forwarded Linux sudo logs): detect interpreter abuse via sudo
index=syslog "sudo:" "COMMAND"
| rex field=_raw "COMMAND=(?P<cmd>S+)"
| eval binary = replace(cmd, "/.*/(.*)", "1")
| where match(binary, "(?i)(python|perl|ruby|vim|less|awk|find|nmap|bash|sh|env|lua|dd|tee|tar|zip)")
| table _time host _raw cmd
| sort _time

# Detect sudoers modification via auditd
# Rule: -w /etc/sudoers -p wa -k sudoers_change
#       -w /etc/sudoers.d/ -p wa -k sudoers_change
ausearch -k sudoers_change --interpret | head -30

# Compare current sudoers against baseline
diff /etc/sudoers.baseline /etc/sudoers

Analytical Methodology

  1. Extract all sudo command entries from /var/log/auth.log or /var/log/secure for the investigation period. Pay attention to the COMMAND field — this is the full path of the executed binary.
  2. Cross-reference each COMMAND against the GTFOBins database. Flag any binary listed there as a sudo escalation risk. Common findings: python3 -c 'import os; os.system("/bin/bash")', find . -exec /bin/bash ;, vim -c ':!/bin/bash'.
  3. Check for sudo -l invocations — these are reconnaissance commands used to discover available sudo rules before attempting escalation. Their presence before an escalation event indicates deliberate exploitation.
  4. Examine the sudoers configuration at the time of the incident. Extract from forensic image or backup. Look for: NOPASSWD entries, wildcard paths (/usr/bin/*), interpreter binaries, and env_keep directives.
  5. Check /etc/sudoers.d/ for recently created or modified files — attackers with root access may add a persistent sudoers rule for their account. Correlate modification timestamps with the incident window.
  6. Identify whether env_keep+=LD_PRELOAD is present. If so, review auditd records for LD_PRELOAD in execve argument lists, which would indicate a shared library injection attack.
  7. Check for CVE-specific exploitation: review sudo version (sudo --version) from the forensic image. If the version is in the range affected by CVE-2021-3156 (< 1.9.5p2) or CVE-2019-14287, those CVEs should be listed as potential escalation vectors.
  8. Correlate sudo events with subsequent privileged activity: after a sudo python invocation, look for new files owned by root, new cron entries, service installations, or outbound network connections from the root context.

Common Analytical Errors

  • Ignoring legitimate sudo use: Not every sudo command is malicious. Focus on interpreter binaries, unexpected commands, commands run outside normal working hours, or commands run by accounts that do not normally use sudo.
  • Missing env_keep exploitation: Standard sudo logs record the COMMAND but not environment variables passed to it. auditd execve records capture the full argument list including LD_PRELOAD. Consult auditd for complete evidence of environment variable abuse.
  • Overlooking sudoedit: sudoedit is a separate execution path from sudo. Its invocations are logged differently in auth.log (as sudoedit: not sudo:). Filter for both.
  • Not checking group-inherited sudo: sudo rules can apply to %group entries. An account that gained group membership (see card .group.v1) may have inherited sudo rules that were not visible under the original account's privileges.

NICE Framework Alignment

Code Work Role Knowledge / Skill / Task Relevance
K0046 Knowledge of intrusion detection methodologies sudo abuse is a post-compromise escalation technique detectable via auth.log monitoring
K0145 Knowledge of security event correlation tools SIEM correlation of sudo COMMAND fields against GTFOBins-relevant binary list
K0187 Knowledge of file type abuse by adversaries Interpreters and system utilities are abused as LOLBins to escape to root shell without dropping malware
S0047 Skill in preserving evidence integrity Preserving auth.log and sudoers files before incident response changes the system state
T0049 Decrypt seized data / analyze forensic artifacts Analysing auditd execve records to reconstruct the exact commands run via sudo escalation

Further Reading

  • GTFOBins (gtfobins.github.io) — authoritative reference for sudo, SUID, and capability binary escapes
  • sudo(8) man page — env_keep, NOPASSWD, and sudoedit behaviour
  • CVE-2021-3156 (Baron Samedit) — Qualys vulnerability research and PoC analysis
  • SANS: "Linux Privilege Escalation via sudo" (blog post)
  • MITRE ATT&CK T1548.003: Sudo and Sudo Caching — detection data sources

Challenge Lab

Reinforce your learning with a hands-on generated challenge based on this card's competency.