id: privesc-sash

info:
  name: sash - Privilege Escalation
  author: daffainfo
  severity: high
  description: |
    sash is a stand-alone shell that is commonly used for system recovery and maintenance. It provides a minimal set of commands and features, making it useful in situations where the regular shell environment may not be available or functional. sash is often used in emergency situations to troubleshoot and repair systems.
  reference:
    - https://gtfobins.github.io/gtfobins/sash/
  metadata:
    verified: true
    max-request: 3
  tags: code,linux,sash,privesc,local

self-contained: true
code:
  - engine:
      - sh
      - bash
    source: |
      whoami

  - engine:
      - sh
      - bash
    source: |
      sash -c 'whoami'

  - engine:
      - sh
      - bash
    source: |
      sudo sash -c 'whoami'

    matchers-condition: and
    matchers:
      - type: word
        part: code_1_response
        words:
          - "root"
        negative: true

      - type: dsl
        dsl:
          - 'contains(code_2_response, "root")'
          - 'contains(code_3_response, "root")'
        condition: or
# digest: 4a0a00473045022100ce3e0790fc0f2df9c854c0ebbea87101366fb71cb94b201e9cfe514944fd99a9022049f61f1295c5c558f823dce1676595bbc76b6231d4e119c8ac27fd97f13885f3:922c64590222798bb761d5b6d8e72950