TryHackMe Sudo Security Bypass Walkthrough WriteUp

📌 Hello Cybersecurity Enthusiasts

I am continuing with TryHackMe WriteUps. These write-ups are not just solution shares but also a source of encouragement for those at the beginning of their cybersecurity journey. Every step is a milestone in the endless journey of knowledge.

• 🗂️ Room Name: Sudo Security Bypass (Walkthrough)

• 📜 Description: A tutorial room exploring CVE-2019–14287 in the Unix Sudo Program. Room One in the SudoVulns Series.

• 🔗 Room URL: https://tryhackme.com/r/room/sudovulnsbypass

• ⚡ Difficulty Level: Info

• 🏹 Included in Paths: -

• 🔍 Specifically Tools Mentioned in Room: -

• 🛠️ Types of Tools Used in Room: -

• 🛠️ Tools Used in Room: -

• 🎯 Target System: Linux

• 🏳️ Relevant Team: 🔴 Red

First of all, let’s summarize the vulnerability described in the room:

CVE-2019–14287 is a vulnerability discovered by Apple researcher Joe Vennix in the Unix-based Sudo program. This vulnerability allows Sudo to be configured with specific user permissions, but still grant root (superuser) privileges. Specifically, when a user is granted permission to run a command as another user, the following line can be added to the sudoers file to deny root privileges to the user: <user> ALL=(ALL:!root) NOPASSWD: ALL. However, on a system with this configuration, when a UID of -1 (or 4294967295) is specified to Sudo, Sudo incorrectly interprets it as 0 (root).

This theoretically allows users to run root commands without root privileges. In other words, a user can use the sudo -u#-1 <command> command to run a command as root, even though it is prohibited. This vulnerability demonstrates that system administrators should be careful when configuring Sudo with special permissions, as incorrect configurations can increase the risk of unauthorized access.

Task 1

1.1 Deployed!

Answer: No answer needed

Task 2

2.1 What command are you allowed to run with sudo?

First, let’s establish our SSH connection with the given information:

We were asked which commands we can run with sudo authority, let’s see:

As can be seen in the bottom line, the command we can run with sudo authority is “/bin/bash”.

Answer: /bin/bash

2.2 What is the flag in /root/root.txt??

Let’s perform our exploit as described in the room:

Let’s look for the flag where the root flag directory is usually located:

Yes, that was all.

It’s very short and simple, but there is a very important conclusion to be drawn in this room: The consequences of seemingly simple security measures or a single, unupdated program or service can be quite severe!

Answer: THM{l33t_s3cur1ty_bypass}

I’ve not only tried to explain what works but also to highlight what doesn’t, providing detailed information to help beginners gain a better perspective. I hope it has been informative enough!

Best regards!

If you enjoyed this article and want to see more content like this, don’t forget to:

• 👏 Clap to show your support,

• 📰 Follow me for upcoming articles on AI security and ethical hacking, and

• 💬 Feel free to share your thoughts or ask about any issues you encountered in the comments — I’d be happy to hear your ideas!

Thank you for being part of this journey, and see you in the next one! 🌟