Sudo and Sudo Caching

Adversaries may perform sudo caching and/or use the sudoers file to eelvate privileges. Adversaries may do this to execute commands as other users or spawn processes with higher privileges.

Within Linux and MacOS systems, sudo(sometimes referred to as "superusers do") alows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system. The sudo command "allows a system administrator to delegate authority to give vertain users (or groups of usrs) the ability to run some (or all) commands as root or another user while while providing an audit trail of the commands and their arguments. Since sudo was made for the system administrator, it has some useful configurationfeatures such as timestamp_timeout, which is the amount of time in minutes between instances of sudo before it will reprompt for a password. This is because sudo has the ability to cache credentials for aperiod of time. Sudo creates (or touches) a file at /var/db/sudo and /var/run/sudo/tc/<username> with a timestamp of when sudo was last run to determine this timeout. Additionally, there is a tty_tickets variable that treats each new tty (terminal session) in isolation. This means that, for example, the sudo timeout of one tty will not affect another tty (you will have to type the password again).

The sudoers, describes which user can run which commands and from which terminals. This also describes which commands users can run as other users or groups. This provides the principle of least privilege such that users are running in their lowest possible permissions for most of the time and only elevate to other users or permissions as needed, typically by prompting for a password. However, the sudoers file can also specify when not to prompt users for passwords with a line like user1 ALL=(ALL) NOPASSWD: ALL. Elevated privileges are required to edit this file though.

In the following screenshot you can see in the sudoers file that the cache time is 15 minutes and I want all terminals to be the same and not be isolated by the cache time so they all won't need to be asked the password again

Now the sudo command has the potential of giving a user more permissions or access to a vulnerable or GTFO binary, which could lead to privilege escalation. For example, examining binaries that can run without credentials can help identify such risks.

We have the capability to execute vim as sudo without giving it any credentials and vim has the possibility to allow us to "escape" from it and gain a root level shell

An example below how the user does not need to enter credentials on current and new terminals