🔬Linux Privilege Escalation

Lab 1

🔬 Permissions Matter!

• Direct access to the target machine via student unprivileged user

• Find specific Linux Privilege escalation vulnerabilities manually

• Some files permissions are not set properly, use them to elevate privileges.

Local Enumeration

Misconfigured Permissions Files

• Look for world writable files

  • Find a file that could help to elevate privileges

❗ /etc/shadow is writable by everyone!

Privilege Escalation

• /etc/shadow stores the passwords in an encrypted format, so the root password need to be replaced with a hashed password

• Switch to the root user

Lab 2

🔬 Editing Gone Wrong

• Direct access to the target machine via student unprivileged user

• Find misconfigured sudo privileges

Local Enumeration

Misconfigured SUDO Privileges

• Find setuid programs

📌 Useful tool - FallOfSudo

• Identify what commands the student user can run

❗ /usr/bin/man binary can be run with SUDO privileges, without providing a root user password

• This can happen on Linux systems for specific binaries that other users have to run with SUDO privileges. It looks harmless, but it can allow users to spawn bash privileged sessions, since the specific binary can be utilized to execute specific commands. Those commands are executed with the binary root privileges.

Privilege Escalation

• In the man scrolling page, using the ! a bash can be spawned

• Retrieve the flag with the root user