Cybersecurity · NAS Security Attack & Defense Lab · Lab 3 — Privilege Escalation

Lab 3 — Privilege Escalation

Exploit: misconfigured SUID on vim to gain root. Detect via logs and process list; respond by killing sessions and hardening.

Scenario

Following the successful SSH compromise in Lab 2, access was upgraded from a BSD shell to a Meterpreter session. The user lacks root privileges, so the next step is privilege escalation. For this lab, the vim binary is intentionally misconfigured with the SUID bit to demonstrate a common escalation path.

SUID: What It Is

The SUID (Set User ID) permission causes an executable to run with the file owner's privileges, not the caller's. It appears as an s in the owner's execute position in ls -l output.

-rwsr-xr-x 1 root root 12345 Dec 27 12:00 example_program

When a non-root user runs example_program, it executes with root privileges. Misconfiguring SUID on powerful binaries (like editors or shells) can enable trivial escalation.

Offensive

Spawning an Interactive Shell

From Meterpreter, spawn an interactive shell:

/bin/sh -i
Spawning an interactive /bin/sh from Meterpreter
Interactive shell obtained.

Fixing the Terminal Environment

Initially, vim behaved oddly inside this pseudo-tty (missing editor commands). Inspecting environment variables revealed the TERM variable was unset.

Environment inspection showing missing TERM variable
TERM not set.
Exporting TERM=xterm so vim behaves correctly
Fixing terminal with export TERM=xterm.

Exploiting SUID vim for Root

With SUID on vim, invoking a shell from inside the editor yields a root shell:

vim
:!sh
Using :!sh inside vim to spawn a shell
:!sh spawns a privileged shell.
Proof of root after exploiting SUID vim
Root access confirmed.

Defensive

Incident Detection

Review authentication and command logs to confirm abuse of vim to spawn a shell:

Logs showing vim execution with -c /bin/sh and sudo attempts
Log events highlight suspicious vim usage launching /bin/sh.

Correlate with process listings to confirm interactive shells and ownership changes:

ps aux output showing shells under ronny and root, indicating escalation
Processes show escalation from user ronny to root.

Response

Terminate malicious sessions and clean up. Kill processes tied to the compromised user and any suspicious root shells:

Killing processes tied to the compromised session
Stopping rogue shells and sessions.

On the attacker side, access is lost:

Attacker session terminated after defensive actions
Command terminated after response actions.

Privilege Escalation via SUID & Environment

This lab demonstrates how a misconfigured SUID binary and an improperly configured environment (TERM) can be combined to achieve root. While production systems rarely ship with SUID on editors, legacy systems and ad-hoc admin changes can introduce these flaws. The workflow mirrors real assessments: identify SUID candidates, fix environment/pty issues, and pivot to a root shell.

Real-World Takeaways

  • Audit SUID binaries regularly; remove SUID from unnecessary tools (especially editors, interpreters).
  • Harden shells and terminal handling in constrained environments (proper PTY, env sanitization).
  • Monitor for suspicious command lines (e.g., editors launching shells) and unusual root-owned interactive shells.
← Back to NAS Security Attack & Defense Lab