📘
CAS Cybersecurity
  • Start
  • Reconnaissance
    • Opensource Intelligence
  • Docker basics and Images
    • Damn Vulnerable Webapp
    • bWAPP
    • Juice Webshop
    • Webgoat
    • Metasploitable 2
    • Metasploitable 3
    • MISP Docker (old)
    • MISP Docker (new)
  • Scanning and Enumeration
    • Scanning with zenmap
    • Scanning with nmap
    • Scanning with msf auxiliary
  • Vulnerability Scanning and Analysis
    • OpenVAS
    • nmap vulnerability scan
    • MSF Auxiliary Modules
  • Exploitation
    • Metasploitable 2
    • Redis Server
    • Print Nightmare
    • Baron Samedit
    • Polkit
    • Heartbleed
  • Man in the Middle
    • ARP Cache poisoning
    • RDP MitM Exercise
  • Windows Hacking
    • Throwback Network
      • Entering the breach
      • Exploring the caverns
      • Webshells and you!
      • First Contact
    • WinAttack LAB
      • Module 01
      • Module 02
      • Module 03
      • Module 04
      • Module 05
      • Module 06
      • Module 07
      • Module 08
      • Module 09
      • Module 10
  • Web Application Security
    • Burp Proxy Introduction
    • DVWA
      • DVWA Exercises 1
      • DVWA Exercises 2
      • DVWA Exercises 3
      • DVWA Exercises 4
      • DVWA Exercises 5
      • DVWA Exercises 6
      • DVWA Exercises 7
      • DVWA Exercises 8
  • CTF and Crypto Exercises
    • Cyberchef Challenge
    • HTB Invite Challenge
    • BSides London 2019 Challenge
    • Ninja Sec Challenge
  • Threat Intelligence
    • MISP Exercise 1
    • MISP Exercise 2
    • MISP Exercise 3
    • MISP Exercise 4
    • MISP Exercise 5
    • MISP Exercise 6
    • MISP Exercise 7
    • MISP Exercise 8
    • Virus Total Graph Exercise
    • RFI Incoming!
  • Forensic Exercises
    • Disk Forensics
      • The Sleuth Kit Intro
      • Filecarving with Foremost
      • Filecarving with scalpel
      • Bulk extractor
      • Disk acquisition with dd
      • Disk acquisition with dcfldd
      • Disk acquisition with ewftools
      • Disk acquisition with FTK Imager
      • Mount disk image (raw)
      • Unknown USB Stick
      • USB Stick Filecarving
      • Autopsy Exercise
    • Windows Forensics
      • Bitunlocker
      • Alternate Datastreams
    • Memory Forensics
      • Volatility2 Basics (Linux)
      • Volatility2 Exercise 1
      • Volatility3 Exercise 1
      • Volatility3 Exercise 2
      • Volatility3 Exercise 3
    • Image Forensics
      • Unswirl Image
      • Manual Filecarving 1
      • Manual Filecarving 2
    • Browser Forensics
    • Mail Header Analysis
    • Timestomping Exercise
    • Network Forensics
      • Tshark Exercise
  • Malware Analysis
    • Ransomware
      • General Introduction
      • Ryuk
      • RansomEXX
      • REvil
      • BlackMatter
      • Hades
      • Egregor
      • DoppelPaymer
    • YARA
      • YARA Install
      • yarGen
      • YARA with Cyberchef
      • TCP dump analysis
      • Memory dump analysis
    • Dosfuscated Scripts
  • Android Malware
    • LAB Setup 1
    • LAB Setup 2
    • Android Manifest
    • Android Permissions
    • APP Tracing with Frida
    • AES Key decryption
    • RedAlert
    • BlackRoseLucy
    • Crackme RE Challenge
  • Forensic Readiness
    • Windows Event Logs
    • Windows Sysmon
    • Sysmon: Capture Clipboard
    • Sysmon: Process Injection
    • Ransomware Detection
      • Signature based
  • Live Response
    • Velociraptor P1
    • Velociraptor P2
    • Velociraptor P3
    • Windows Response LAB
      • Lateral Movement Detection
      • Detect persistence
      • Volatility Analysis
Powered by GitBook
On this page
  • Exercise CVE-2021-3156 Baron Samedit
  • 1. Introduction
  • 2. Confirm Exploitability
  • 3. Exploit the vunerability
  • 4. Patch vulnerability
  • 5. Questions
  • 6. Answers

Was this helpful?

  1. Exploitation

Baron Samedit

PreviousPrint NightmareNextPolkit

Last updated 3 years ago

Was this helpful?

Exercise CVE-2021-3156 Baron Samedit

1. Introduction

On January 26, 2021, the Qualys Research Team released a write-up on a heap overflow vulnerability in sudo that was later dubbed CVE‑2021‑3156, also known as Baron Samedit. This vulnerability allows any unprivileged user to gain root access on a system using an unpatched version of sudo.

In this module, you will learn how to exploit the Baron Samedit vulnerability.

  • CVSS Score: 7.8 HIGH

  • CVSS Vector: AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

2. Confirm Exploitability

Recently you heard about a brand new privilege escalation exploit called Baron Samedit. You think that your system might be vulnerable but you are not sure.

You know that all legacy versions of sudo from 1.8.2 to 1.8.31p2 and all stable versions from 1.9.0 to 1.9.5p1 are affected by this bug. But does this apply to you or not?

Check sudo version:

apt-cache policy sudo

System is exploitable!

3. Exploit the vunerability

Now that you are sure you have an unpatched version of sudo installed, it is time to exploit the bug.

It has been discovered by security researchers that a command-line argument ending with a single backslash character can lead to a heap-based buffer overflow in the set_cmnd() function of sudo. However, the condition is only met when the MODE_SHELL flag and either the MODE_EDIT or MODE_CHECK flag are set, but the default MODE_RUN is not. Although setting all the right flags while running sudo seems impossible, researchers have identified a loophole. If you execute the sudoedit command instead of sudo (which technically runs the same binary), you can set all the necessary flags and overflow the heap-based buffer.

The exploit that has already been downloaded for you in the CVE-2021-3156/ directory on your desktop makes use of this technique to exploit the vulnerability.

make

./sudo-hax-me-a-sandwich

Note: 1 is our target number that match the sudo version

./sudo-hax-me-a-sandwich 1

4. Patch vulnerability

apt-get update apt-get install sudo

5. Questions

  1. Which version of sudo is installed on the desktop as reported by apt-cache?

  2. What are the contents of the /root/flag.txt file?

6. Answers

  1. 1.8.31-1ubuntu1

  2. 9cbf95929f8ace5dcfc8326e0791fa83

Get root and retrieve the flag

👍