Scribd
Upload
75 views7 pages

Privilege Escalation

Privilege escalation is a network attack that seeks unauthorized higher-level access within a security system, often by exploiting vulnerabilities. It can be categorized into horizontal and vertical privilege escalation, allowing attackers to gain control over sensitive systems or data. Effective management of user accounts and understanding access controls are crucial in preventing such attacks, particularly in Linux systems.

Uploaded by

2070GYANENDRA DUBEY
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
75 views7 pages

Privilege Escalation

Privilege escalation is a network attack that seeks unauthorized higher-level access within a security system, often by exploiting vulnerabilities. It can be categorized into horizontal and vertical privilege escalation, allowing attackers to gain control over sensitive systems or data. Effective management of user accounts and understanding access controls are crucial in preventing such attacks, particularly in Linux systems.

Uploaded by

2070GYANENDRA DUBEY
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 7

Privilege escalation refers to a network attack aiming to gain unauthorized higher-

level access within a security system. It typically starts with attackers exploiting
vulnerabilities to access a system with limited privileges.

The attackers then elevate their access rights to gain control over more sensitive
systems or data. Common reasons for successful privilege escalation include
insufficient security controls, non-adherence to the principle of least privilege, and
exploitable software vulnerabilities. This can lead to either external threat actors or
insiders gaining undue access.

Horizontal vs. Vertical Privilege Escalation

There are two types of privilege escalation:


Horizontal privilege escalation—an attacker expands their privileges by taking
over another account and misusing the legitimate privileges granted to the other
user. To learn more about horizontal privilege escalation see our guide on lateral
movement.

Vertical privilege escalation, sometimes referred to as privilege elevation, is


when an attacker compromises a user account that has limited permissions on a
system. They then look for ways to increase their privileges using the same
account. For example, they might add the compromised account to the local
administrator group.

Privilege escalations allow attackers to open up new attack vectors on a target


system. For example, it can involve:

 Gaining access to other connected systems


 Deploying additional malicious payloads on a target system
 Adjusting security settings or privileges
 Gaining access to applications or data on a system beyond the privileges of
the original compromised account

In extreme cases, gaining root access to a target system or an entire network

When security teams suspect privilege escalation it is important to perform an in-


depth investigation. Signs of privilege escalation include malware on sensitive
systems, suspicious logins, and unusual network communications.

Any privilege escalation incident must be dealt with as a severe security incident
and, depending on the organization’s compliance obligations, might have to be
reported to authorities.

On Linux, this is typically done via the sudo (Super User DO) command that
enables condition-based privilege elevation for user accounts. To use sudo
privilege elevation, you simply precede the command with sudo, which will then
execute the command as a super-user.
An example of using sudo to execute ifconfig as a super-user is below:

Basics of Linux privilege escalation

Before we explain how to prevent unwanted privilege escalation, it’s important to


have a basic understanding of how access controls work on Linux systems. User
account management is one of the critical steps to hardening and securing Linux
systems. Unmanaged user accounts leave a door open for attackers to exploit.
Unused user accounts or accounts with easily cracked or guessable passwords are
the most targeted by attackers.

A big difference between Windows and Linux is that Windows was originally
planned as a single-user system with administrator privileges. In contrast, Linux
was designed as a multi-user operating system. With many users accessing the
same system, you can see why managing directory and file access is critical.

How privileges are created and delegated in Linux systems

One of the most important files on the Linux system is the passwd file, located at
/etc/passwd. This file lists all the users known to the system which could also be
included in directory services.
If we look inside the passwd file using the “cat” command, we find something like
the following:

Each line represents a user on the Linux system.

Each field is separated using the colon “:” character in which the fields represent
the following passwd file format:

Username

Password Placeholder (x indicates encrypted password is stored in the /etc/shadow


file)
User ID (UID)

Group ID (GID)

Personal Information (separated by comma’s) – can contain full name, department,


etc.

Home Directory

Shell – absolute path to the command shell used (if /sbin/nologon then logon isn’t
permitted, and the connection gets closed)

Any user with a user ID above 1000 (this can slightly vary on certain Linux/Unix
operating systems) isn’t a default user and has been added to the system. “UID 0”
is reserved for the root account, however it can also be used for other users, giving
them super-user privileges. “Effective ID 0” and “1-99” are for predefined
accounts and “100-999” are for system administration. If you find + or – in the
field, this likely represents an account being used with a directory service, for
example LDAP.

In older Linux systems the password of the user was stored in the /etc/passwd file,
however this was deemed insecure and was replaced using the /etc/shadow file.
That’s why the password placeholder containing an “x” indicates the password is
stored in the /etc/shadow file.

The passwd file is typically readable by all users. For example, if you run the
command “ls -la /etc/passwd” you will get output like the following:

Using the ls -la command to view file permissions

The permissions in the “ls -la” output for the /etc/passwd file show the following
format:
The first character “-“ is reserved as a special permission that can vary. Another
special permission that can be used here is known as SUID, GUID or the Sticky
Bit. We will cover the special permission a little bit later.

Permission Groups are defined as follows:

1.Owner

2.Group

3.All Users

Permission Types are defined as follows:

1.Read = 4

2.Write = 2

3.Execute = 1

4.– (No permissions set) = 0


So, let’s explain the output from the /etc/passwd file above. It has the
following access permissions:

1.File Type

2.Owner (root) has read and write permissions

3.Group (root) has read permissions

4.All Users has read permissions

5.Number represents hard links to the file

6.Owner

7.Group

https://delinea.com/blog/linux-privilege-escalation

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy