Privilege Escalation admin user to root user in hestiacp/hestiacp
Jul 22nd 2022
"admin" user has sudo rights and can gain root access. By default sudo installation "admin" group has root rights. "admin" user created by hestia installation and this user is also in "admin" group. if the attackers access "admin" user, can gain root access.
Proof of Concept
root@server:/home/t# sudo -u admin sudo -l Matching Defaults entries for admin on server: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, env_keep=VESTA, env_keep+=HESTIA, !syslog, !requiretty User admin may run the following commands on server: (ALL) ALL (root) NOPASSWD: /usr/local/vesta/bin/* (root) NOPASSWD: /usr/local/hestia/bin/*
admin user can run any commands as root with
(ALL) ALL permission.
%admin ALL=(ALL) ALL to
# %admin ALL=(ALL) ALL in "/etc/sudoers" file with visudo.
Attackers can gain root access with admin user.