Getting a shell
Get a shell from ViM
If ViM can be run with NOPASSWD via sudo, then commands can be executed as admin using the
!
prefix.However, if a non-standard shell is set in /etc/passwd, Vi and ViM may not be able to shell out with
:shell
or execute shell commands with!
. This is because these apps are attempting to execute$SHELL
(in the case of:shell
) or$SHELL -c $COMMAND
(in the case of!
).Fortunately, Vi and ViM can be set to override the default
$SHELL
using:set shell=/bin/bash
.(Exotic shells in /etc/passwd can also cause commands executed via ssh to fail for the same reason.)
Link to original
Exploiting SUID ViM
If ViM is SUID root and is compiled with Python support, it can be used for privilege escalation.
Tip
Use
:py
instead if only Python 2 is available.