Sudo is a Linux program that allows a user to run programs with the security privileges of another user, by default the superuser. The basic idea is to give as few privileges as possible to a user while allowing the user to accomplish a task. The term “sudo” means substitute user do. It is a program used for managing user permission via a system configuration file. It allows users to run programs with the privileges of another user, by default, the superuser. The program is supplied for most UNIX and Linux-based operating systems.

A library is a collection of compiled functions. We can make use of these functions in our programs without rewriting the same functionality. This can be achieved by either including the library code in our program (static library) or linking dynamically at runtime (shared library). The LD_PRELOAD is a useful technique to influence the linkage of shared libraries and the resolution of symbols (functions) at runtime in the program execution preparation phase. Linux system programs ld.so and ld-linux.so (dynamic linker/loader) use LD_PRELOAD to load specified shared libraries. In particular, before loading any other libraries, the dynamic loader will first load shared libraries that are in LD_PRELOAD.

Discovered in late 2016, Dirty COW (Dirty copy-on-write) is a computer security vulnerability for the Linux kernel that affects all Linux-based operating systems including Android, which uses older versions of the Linux kernel. It is a local privilege escalation bug that exploits a race condition in the implementation of the copy-on-write mechanism in the kernel's memory-management subsystem.

Network File System (NFS) is a distributed file system protocol originally developed by Sun Microsystems (Sun) in 1984, allowing a user on a client computer to access files over a computer network much like local storage is accessed. NFS, like many other protocols, builds on the Open Network Computing Remote Procedure Call (ONC RPC) system. However, the no_root_squash option basically gives authority to the root user on the client to access files on the NFS server as root. And this can lead to serious security implications.

In programming, a library is an assortment of pre-compiled pieces of code that can be reused in a program. They are very similar to DLL (Dynamic Link Library) in Windows environment. For instance, if you are building an application that needs to perform math operations, you don’t have to create a new set of math functions. You can simply call existing math functions in libraries for that programming language. From a security perspective, however, we should be able to control the execution of the calling program if we can manage to alter the content of a dynamic library.

A symlink (also called a symbolic link) is a type of file in Linux that points to another file or folder on your computer. For example, When a program opens a symlink as a directory, then it reads the contents of the destination directory. Symlinks are similar to shortcuts in Windows.

The path variable is an environment variable that contains an ordered list of paths that Linux and other Unix-like operating systems will search for executables when running a command. Using these paths means that we do not have to specify an absolute path when running a command. Without specifying a full path to executables means that you can control where the executables are searched in the ordered list of paths. If the executable is granted SUID permission, then you can simply utilize it to escalate privilege as root.

The Cron job is a built-in Linux utility that runs processes on the system at a scheduled time. Cron reads from the Crontab (Cron tables) for predefined commands and scripts. By default, Cron runs as root when executing /etc/crontab, so any commands or scripts that are called by the crontab will also run as root. When a script executed by Cron is editable by unprivileged users, those unprivileged users can escalate their privilege by editing this script, and waiting for it to be executed by Cron under root privileges.

The Cron job is a built-in Linux utility that runs processes on the system at a scheduled time. Cron reads from the Crontab (Cron tables) for predefined commands and scripts. By default, Cron runs as root when executing /etc/crontab, so any commands or scripts that are called by the crontab will also run as root. When a script executed by Cron is editable by unprivileged users, those unprivileged users can escalate their privilege by editing this script, and waiting for it to be executed by Cron under root privileges. However, with a Cron job without specifying a full path of executables, adversaries can control where the executables are searched in the ordered list of paths. If the executable is granted SUID permission, then adversaries can simply utilize it to escalate privilege as root.

Wildcards are symbols that represent other characters. You can use them with any command, such as cat or rm commands to list or remove files matching given criteria. For example, the * character means to match any number of characters. Tar is a program that allows you to collect files into an archive, and there are “checkpoint” flags, which allow you to execute actions after a specified number of files have been archived. Since those flags can be injected with wildcards injection, we can use checkpoints to execute commands of our choosing to escalate privilege.

/etc/passwd is a plain text-based database that contains information for all user accounts on the system. It is owned by root and has 644 permissions. The file can only be modified by root or users with sudo privileges and readable by all system users. The /etc/passwd contains one entry per line for each user (user account) of the system. All fields are separated by a colon (:) symbol. However, if a text editor with SUID right enabled on the target machine, we will generate an encrypted password on the student machine and add it to the target machine passwd file to gain login access.

Capabilities function is to divide the power of 'root' into specific privileges so that if a process or binary with restricted capabilities is exploited, the potential damage is limited by not running as root. However, if the target machine has any misconfigured capabilities permission right, we may utilize the capabilities misconfigurations to escalate privilege as root.

Exim4 is a Message Transfer Agent (MTA) developed at the University of Cambridge for use on Unix systems connected to the Internet. Exim4 can be installed in place of sendmail, although its configuration is quite different. However, all versions of Exim4 from 4.87 through 4.91 are vulnerable to a heap-based buffer overflow that could potentially allow for denial of service or arbitrary code execution on Exim4 mail servers, which may allow adversaries to escalate privilege to root.

Password mining is a process of trying to find passwords on the target machine. A way to reveal or identify what a password is. The password can be stored in the clear text in the memory space of running applications, system registry in Linux operating system, application configuration files, or log files. Services like FTP have the credentials stored in the clear text in memory. Therefore, we can dump the memory and read the credentials.

Memcached is a free and open-source, high-performance, distributed memory object caching system, generic in nature, but intended for use in speeding up dynamic web applications by alleviating database load. However, the sensitive information can be stored in the clear text in the MemCached server.

The authorized_keys file in SSH specifies the SSH keys that can be used for logging into the user account for which the file is configured. It is a highly important configuration file, as it configures permanent access using SSH keys and needs proper management. However, if the target machine has misconfigured permission of authorized_keys file, we can generate our own RSA key on the student machine and copy it to the target machine. Once the RSA key is copied to the target machine, we can remote in to the target machine using the RSA key.

The web config file, located in the root of the web folder contains unique settings, such as database connection settings, root folder, and other information. This file is the only file in the script that should be customized. Some common uses for the web config files are to stores credentials in the to connect to the database.

MySQL User Defined Functions (UDF) is a way to extend MySQL with a new function that works like a native built-in MySQL function. Using UDF, you can create native code to be executed inside a MySQL server. To make it work, you will have to write a library, shared object in Linux or DLL in Windows, put it into a system directory, then create the functions in MySQL. As mentioned in the password mining section, we can actually utilize the credentials obtained from Chapter 17 and log into the MySQL server as the database root user on the target machine. Based on the version of MySQL on the target machine, we will search for exploits and create UDF to escalate privilege as root.

Docker is an open-source project that automates the deployment of applications inside Linux containers and provides the capability to package an application with its runtime dependencies into a container. It provides a Docker CLI command-line tool for the lifecycle management of image-based containers. Linux containers enable rapid application deployment, simpler testing, maintenance, and troubleshooting while improving security. Using Linux Docker allows customers to deploy third-party applications faster, enable a more agile development environment, and manage resources more tightly. While we know that there is an issue with the docker that all the commands in Docker require sudo as Docker needs root privilege to run. Docker daemon works in such a way that it is allowed access to the root user or any other user in the particular docker group. This means that access given to the docker group is the same as given constant root access without requiring any password.

LXD is a next-generation system container manager. It offers a user experience similar to the Docker container. LXD group should be considered harmful in the same way as the docker group is. Under no circumstances should a user in a local container be given access to the LXD group. However, LXD installation automatically adds every user to the LXD group by default. If the current user is part of the LXD group on the target machine, it basically gives the current user root permission without requiring any password. Then we may import the Alpine image into the LXD running instance and mount the root file system of the target machine to escalate privilege to root.