PRIVILEGE ESCALATION MANIPULATING A USER'S UID
- In this exercise a Linux Debian server is used:
- By default the only user with UID=0 is the superuser root:
- However, let's see what happens if a user's UID is manipulated and changed to 0.
- Creating a new user marie:
- Setting a password for the new user :
- Switching the session to the new user:
- The UID for the new user is 1004:
- Now here comes the tricky part. A user with enough privileges to edit the /etc/passwd could manipulate this file changing the user's UID from 1004 to 0:
- Going to marie's session, let's see that the user marie is considered exactly like the superuser root:
- Now the new user's UID is 0, although the IDs for groups have not been changed::
- Actually there are two users (root and marie) with UID=0:
- The fact of owning an UID=0 (regardless of the name of the user) means that marie has full access to commands and files on the system, what can be considered as an example of privilege escalation.
- To restore the default configuration let's edit again /etc/passwd assigning an UID different to 0 to marie:
- Finally the default configuration is restored:
- As a general rule, and with the goal of avoiding privilege escalation, it is recommendable to check periodically that the only user with UID=0 is the root:
- The previous command performs this task:
a) awk <- pattern scanning and processing language
b) -F: <- field
c) '($3 == "0") <- if the 3rd field is equal to 0
d) print <- print the line
e) /etc/paswd <- scanning this file
- The previous command performs this task:
a) awk <- pattern scanning and processing language
b) -F: <- field
c) '($3 == "0") <- if the 3rd field is equal to 0
d) print <- print the line
e) /etc/paswd <- scanning this file
