PRIVILEGE ESCALATION MANIPULATING A USER'S UID
- In this exercise a Linux Debian server is used:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWT60nCYjP7gvIZB9yB26tzJN49KFT-sBwFCcP2ey98bpQd8_jq4DVBnn6awD4ZjlzjqE80xmX4N681k7qPbuome_qv6nyG04mgZbMkqJST0F-BO0goJekNwjL588vd0uCFkkNgeJK-pQe/s320/debian.jpg)
- By default the only user with UID=0 is the superuser root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi4lLZh-hV5hjSfVAC-xJYd_3yjMEJueef27gQnXwtq8_HXKG6kLeNEB1cQ7e464FU79JTIput7lXU5igZjgbHwhQg6u5a27Dw6cJ0zcWmc-owRM_TAb1zYxzXWz80SCcrhRjT2vVhhIOvw/s1600/screenshot.25.jpg)
- However, let's see what happens if a user's UID is manipulated and changed to 0.
- Creating a new user marie:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHTCxm-iMUx5PsCD88u0IKG7HJ4O9xj7pNbRpzPCwxUPNG4DB0y8kWHtPVbN6gjgmBV7R0uK_0NRghR2a1TuHfDOnkQJhDqlC7CmJHrUCEn1_v7iOeeUz2FY31PELUqb2TSFMESOijuddx/s1600/screenshot.10.jpg)
- Setting a password for the new user :
- Switching the session to the new user:
- The UID for the new user is 1004:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCtx4iSICyrugQ_06qAJ54RlH_JCif-CIfZHbtTzu5Xdwv8hn-ZlsMjjoXffBNwAcitNH3B3z44o3iAN1q_WUZlYCESVn0aeY-7VMCBc4D2zxYu7mMu3Xq5mItGZZQaww_RNddJJBs4kM0/s1600/screenshot.26.jpg)
- Now here comes the tricky part. A user with enough privileges to edit the /etc/passwd could manipulate this file changing the user's UID from 1004 to 0:
- Going to marie's session, let's see that the user marie is considered exactly like the superuser root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqNdQIpwkxx4IjyZy2G0LEBo3wg-cnPW7MslGRyLO-A8Umatn9rtUd4pWvwyg_P03DJjH8IUuaynUevrTswqchFDSe_EsbbBL4r7yV52sas7hjF3c_uVvpUjH47NZ3WfuQV8NmBhKvf5j6/s1600/screenshot.19.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqNdQIpwkxx4IjyZy2G0LEBo3wg-cnPW7MslGRyLO-A8Umatn9rtUd4pWvwyg_P03DJjH8IUuaynUevrTswqchFDSe_EsbbBL4r7yV52sas7hjF3c_uVvpUjH47NZ3WfuQV8NmBhKvf5j6/s1600/screenshot.19.jpg)
- Now the new user's UID is 0, although the IDs for groups have not been changed::
- Actually there are two users (root and marie) with UID=0:
- The fact of owning an UID=0 (regardless of the name of the user) means that marie has full access to commands and files on the system, what can be considered as an example of privilege escalation.
- To restore the default configuration let's edit again /etc/passwd assigning an UID different to 0 to marie:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQpBA28x4QbbgAKrirEhjQgUL9SOwYxSxTJRnovdY5LjY2zIePvnVa193qJPlNWm717RvNzk0kIjmEAVt9IO5iZOq3trBmLzpa5PcdF926Gb9f0gT1M1Auxhl9G92t3dGtIblyuDgyit_3/s1600/screenshot.22.jpg)
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQpBA28x4QbbgAKrirEhjQgUL9SOwYxSxTJRnovdY5LjY2zIePvnVa193qJPlNWm717RvNzk0kIjmEAVt9IO5iZOq3trBmLzpa5PcdF926Gb9f0gT1M1Auxhl9G92t3dGtIblyuDgyit_3/s1600/screenshot.22.jpg)
- Finally the default configuration is restored:
- As a general rule, and with the goal of avoiding privilege escalation, it is recommendable to check periodically that the only user with UID=0 is the root:
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY5t60dHTvru9DJdUQ0shv0gPjuM_ST5o71BsAYm3sUevlUls_HDmwx5FuJrcqFAeGoDmJLhhu0066hzG73P6a0a9ZeD3LGkb9f71fWyMlEk04ls_FED6gMdFEJouBfUmax4kJ8LjqlyOK/s1600/screenshot.18.jpg)
- The previous command performs this task:
a) awk <- pattern scanning and processing language
b) -F: <- field
c) '($3 == "0") <- if the 3rd field is equal to 0
d) print <- print the line
e) /etc/paswd <- scanning this file
![](https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiY5t60dHTvru9DJdUQ0shv0gPjuM_ST5o71BsAYm3sUevlUls_HDmwx5FuJrcqFAeGoDmJLhhu0066hzG73P6a0a9ZeD3LGkb9f71fWyMlEk04ls_FED6gMdFEJouBfUmax4kJ8LjqlyOK/s1600/screenshot.18.jpg)
- The previous command performs this task:
a) awk <- pattern scanning and processing language
b) -F: <- field
c) '($3 == "0") <- if the 3rd field is equal to 0
d) print <- print the line
e) /etc/paswd <- scanning this file