Challenge 04 • Privilege Escalation Detection

Understanding Privilege Escalation

Privilege escalation is the act of exploiting vulnerabilities or misconfigurations to gain elevated privileges on a system. On Linux, this typically means escalating from a standard user to root (UID 0).

🔑 Sudo (Superuser Do)

Purpose: Allows permitted users to execute commands as the superuser or another user, as specified in /etc/sudoers.

Why It's Dangerous When Misconfigured: Overly permissive sudo rules can allow users to run commands that spawn shells, edit system files, or execute arbitrary code as root.

Common Mistake: Allowing sudo access to powerful binaries like vi, less, find, or python without understanding they can be abused to break out to root shells.

📄 /var/log/auth.log

Purpose: Records authentication events including sudo command execution with timestamps, users, and commands run.

What to Look For: Repeated sudo usage, attempts to edit sensitive files, spawning of shells (bash, sh), and commands known for privilege escalation.

⚙️ /etc/sudoers

Format: user/group host=(run_as_user) command

Example: developer ALL=(ALL) NOPASSWD: /usr/bin/vi

Risk: The above rule allows developer to run vi as root without password. From vi, you can execute :!/bin/bash to get a root shell.

Common Privilege Escalation Vectors

🚨 Sudo Misconfigurations

Wildcard permissions (ALL)
NOPASSWD for dangerous binaries
Text editors (vi, nano, emacs)
File viewers (less, more)
Interpreters (python, perl, ruby)

📝 GTFOBins Techniques

vi: :!/bin/bash (shell escape)
find: -exec /bin/bash \;
python: import os; os.system("/bin/bash")
less: !bash
docker: mount host filesystem

🔍 SUID Binaries

find / -perm -4000 2>/dev/null
Custom SUID programs
Vulnerable system binaries
Path hijacking

📂 Writable Files/Directories

/etc/passwd modification
Cron job injection
Library preloading (LD_PRELOAD)
Service configuration tampering

Investigation Commands

# Check sudo privileges
sudo -l

# View sudo logs
grep "sudo" /var/log/auth.log

# Find SUID binaries
find / -perm -4000 -type f 2>/dev/null

# Check sudoers configuration
cat /etc/sudoers

💡 Pro Tip: GTFOBins (gtfobins.github.io) is a curated list of Unix binaries that can be used to bypass security restrictions. Always check sudo-allowed binaries against GTFOBins before granting permissions.

Evidence Review

📄 /var/log/auth.log Click lines to tag as evidence

⚙️ /etc/sudoers

💻 ~/.bash_history (developer)

📌 Evidence Locker

No evidence tagged yet. Click log lines to add them.

Interactive Terminal

Run bash commands to analyze the logs. Available: cat, grep, wc, awk, sort, uniq, sudo, clear, help

analyst@blueteam:~$ Terminal ready. Type 'help' for available commands.

analyst@blueteam:~$

Investigation Tasks

Tasks Completed: 0 / 10

Task 1 — Username That Escalated Privileges

✓ Correct Answer:

developer

The "developer" user is shown in auth.log executing sudo commands and appears in the sudoers file with dangerous permissions.

Task 2 — Binary Allowed via Sudo

✓ Correct Answer:

/usr/bin/find

The sudoers file shows: developer ALL=(ALL) NOPASSWD: /usr/bin/find - This allows running find as root without a password, which can be abused for privilege escalation.

Task 3 — Timestamp of First Sudo Usage

✓ Correct Answer:

Nov 28 09:45:12

First sudo command in auth.log: "Nov 28 09:45:12 ... sudo: developer : TTY=pts/0 ; PWD=/home/developer ; USER=root ; COMMAND=/usr/bin/find"

Task 4 — Privilege Escalation Technique Used

✓ Correct Answer:

exec

The attacker used find's -exec flag to execute /bin/bash as root: sudo find . -exec /bin/bash \; This is a well-known GTFOBins technique.

Task 5 — Shell Spawned After Escalation

✓ Correct Answer:

/bin/bash

In the bash_history, you can see: sudo find . -exec /bin/bash \; - This spawns a bash shell running as root.

Task 6 — Sensitive File Read with Root Privileges

✓ Correct Answer:

/etc/shadow

After gaining root, the attacker ran: cat /etc/shadow (visible in bash_history and auth.log). This file contains password hashes for all users.

Task 7 — New User Created

✓ Correct Answer:

backdoor

The attacker created a new user "backdoor" with root privileges: useradd -ou 0 -g 0 backdoor (UID 0 = root equivalent access).

Task 8 — UID of Backdoor User

✓ Correct Answer:

The backdoor user was created with UID 0 (-ou 0 flag), which gives it the same privileges as the root user. Multiple accounts can have UID 0.

Task 9 — Sudoers Directive Allowing NOPASSWD

✓ Correct Answer:

NOPASSWD

The sudoers entry contains "NOPASSWD:" which allows the user to run sudo commands without entering their password - a dangerous configuration.

Task 10 — MITRE ATT&CK Technique ID

✓ Correct Answer:

T1548.003

T1548.003 = Abuse Elevation Control Mechanism: Sudo and Sudo Caching. This technique involves exploiting sudo misconfigurations to gain elevated privileges.

XP: 0 / 1000

Attack Analysis & Incident Summary

This section auto-fills once all tasks are completed correctly.

Attack Chain Reconstruction

Complete all tasks to reveal the attack chain.

Incident Summary

Attack type: —
Attacker username: —
Exploited binary: —
Escalation technique: —
Shell spawned: —
Sensitive file accessed: —
Backdoor user: — (UID: —)
Vulnerable config: —
MITRE ATT&CK: —

Recommended Remediation

Immediate: Remove backdoor user, revoke developer sudo access, rotate all passwords
Configuration fix: Remove /usr/bin/find from sudoers, enforce password requirement, use sudo groups instead of individual users
Investigation: Check for additional backdoors, review command history, audit file modifications
Long-term: Implement sudo session recording, regular sudoers audits, least privilege principle, GTFOBins checks

Why This Attack Succeeded

The privilege escalation succeeded because:
1. Overly permissive sudo rule allowed /usr/bin/find without password
2. find binary can execute arbitrary commands via -exec flag
3. No monitoring or alerting on sudo abuse
4. Developer account had unnecessary elevated privileges
5. Sudoers configuration not regularly audited against GTFOBins

🛡️ Challenge 04 • Privilege Escalation Detection

Mission Brief

Available Artifacts

Learning Objectives

Understanding Privilege Escalation

🔑 Sudo (Superuser Do)

📄 /var/log/auth.log

⚙️ /etc/sudoers

Common Privilege Escalation Vectors

🚨 Sudo Misconfigurations

📝 GTFOBins Techniques

🔍 SUID Binaries

📂 Writable Files/Directories

Investigation Commands

Evidence Review

Interactive Terminal

Investigation Tasks

Attack Analysis & Incident Summary

Attack Chain Reconstruction

Incident Summary

Recommended Remediation

Why This Attack Succeeded