Sudo abuse is privilege escalation through misconfigured `sudo` rules. The sudoers policy decides which users can run which commands as root. When a rule is too broad (allowing a program that can spawn a shell), uses NOPASSWD, or keeps a dangerous environment variable like LD_PRELOAD, a low-privileged user can turn their allowed command into a root shell. The first thing an attacker runs is sudo -l, and GTFOBins maps which sudo-allowed binaries escalate.
What sudo abuse is
sudo lets administrators grant specific users the right to run specific commands as another user, usually root, defined in the sudoers file. Used carefully it is least-privilege done well.
The abuse comes from over-broad or careless rules: allowing a program that can launch a shell or read/write any file, allowing all commands, using NOPASSWD so no password is needed, or preserving dangerous environment variables. Each turns a narrow grant into full root.
The common misconfigurations and payload
The attacker starts with sudo -l to see what they are allowed, then exploits it:
- A sudo-allowed editor or pager:
sudo vim -c ':!/bin/sh'orsudo less /etc/profilethen!sh - Any sudo-allowed binary on GTFOBins (find, awk, python, tar with checkpoint, etc.)
- LD_PRELOAD kept via
env_keep: compile a small library that callssetuid(0), thensudo LD_PRELOAD=/tmp/x.so <allowed-cmd> - A rule allowing
ALLcommands is an immediatesudo /bin/bash.
Documented techniques shown for defenders.
How to defend
- Grant the minimum: only the exact commands a user needs, never
ALL, and avoid programs that can spawn shells or read arbitrary files. - Avoid NOPASSWD except where truly necessary.
- Do not keep dangerous environment variables (remove
env_keepentries like LD_PRELOAD; keepenv_reseton). - Use full paths in sudoers and avoid wildcards.
- Review sudoers regularly and test rules against GTFOBins-style abuse.
References
- [1]Linux man-pages: sudoers(5)(man7.org)
- [2]MITRE ATT&CK: Privilege Escalation (TA0004)(MITRE)
- [3]NIST SP 800-115 Technical Guide to Security Testing(NIST)