sudo NOPASSWD on a shell-spawner → root

§ Context

Assumed environment: foothold as a low-priv user. `sudo -l` reveals an allowed binary that doesn't require a password and that exposes a shell escape per GTFOBins.

§ Steps

1. 01
   Low-priv shellInitial Access

   T1078— Valid Accounts
2. 02
   Spawn root shell from inside the binaryExecution

   T1059— Command and Scripting Interpreter
3. 03
   sudo -l → identify allowed binariesDiscovery

   T1087— Account Discovery
4. 04
   Match binary to GTFOBins sudo entryPrivilege Escalation

   L-SUDO-MISCONF— Sudo Misconfiguration (NOPASSWD / weak Defaults)
5. 05
   Cron / SSH key persistencePersistence

   L-CRON-WRAP— Cron-Based Persistence

§ References

• T1078Valid Accounts
• T1059Command and Scripting Interpreter
• T1087Account Discovery

§ Frequently asked

What is the "sudo NOPASSWD on a shell-spawner → root" attack path?

User has sudo NOPASSWD on a binary that can shell out (vi, less, awk, perl, python). Use the binary's escape sequence to drop into a root shell. It chains 5 steps drawn from real-world offensive-security techniques.

What starting position does this attack require?

The first step is Low-priv shell (T1078) — a initial access primitive. Assumed environment: foothold as a low-priv user.

What is the final impact of this kill-chain?

The final step lands on Cron / SSH key persistence (L-CRON-WRAP), which falls under Persistence. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

§ Related dossiers

• Shared techniques3

  Service account → SYSTEM via named-pipe impersonation

  Service-context shell has SeImpersonatePrivilege. Use Potato-family tools (Juicy / Rogue / Print / God) to coerce SYSTEM to authenticate to an attacker-controlled named pipe, then impersonate the token.

• Shared techniques2

  io_uring UAF → modprobe_path overwrite → root

  Use an io_uring UAF to land arbitrary kernel write, repoint /proc/sys/kernel/modprobe to an attacker binary, then trigger a kernel auto-modprobe — runs the binary as root.

• Shared techniques2

  nf_tables UAF → kernel R/W → root

  CVE-2024-1086-class nf_tables UAF reachable from a user namespace. Win the race with userfaultfd to land an attacker object in the freed slot, build a kernel R/W primitive, overwrite the current task's cred struct.

• Shared techniques2

  BYOVD → kernel-level disable of EDR callbacks

  From local admin, load a signed-but-vulnerable driver. Use its kernel primitive to walk the EDR's PsSetCreateProcessNotifyRoutine entries and unlink them — EDR stops receiving events while still 'running'.

• Shared techniques2

  Process doppelgänging → spawn signed image with attacker bytes

  Use NTFS transactional file APIs to overlay an attacker image during process creation. The final mapped process differs from the on-disk file — AV sees only the legit signed image at scan time.

• Shared techniques2

  certutil + bitsadmin → AV-friendly stager chain

  Initial access dropped a tiny .bat. It uses certutil to decode a base64 blob and bitsadmin to fetch the real beacon, then schtasks for persistence. Every binary is signed Microsoft.