old notes

#UofTBootCamp #classwork #linux #permissions #users #groups #su #sudo #less #more #shellbreaking #shellexploit #exploit #escapeexploit

Running commands from inside of less with sudo access

Run !bash inside of less to drop to a root shell

sudo

sudo and su basics

su substitute user identity
sudo execute a command as another user

sudo -l will list (if no command is specific) the allowed/forbidden commands for the invoking user (or a specific user if -U). If a command is specific, it will list the “fully-qualified” path to the command.

sudo -lU <user> to check if has can run sudo
OR sudo -nv

Updating the /etc/sudoers/ file withvisudo`

sudo visudo to see the file
john ALL=(ALL:ALL) /usr/bin/apt, /usr/bin/less to give john access to run apt as root and less

Syntax for /etc/sudoers/

The first ALL is the users allowed (john)
The second one is the hosts (ALL, as in all machines)
The third one is the user as you are running the command
The last one is the commands allowed

Activity 1

Determine what sudo activities the sysadmin user has using sudo -lU sysadmin:

(ALL : ALL) ALL meaning that sysadmin user can run on all commands as root on all hosts.

Record what access each user on the machine has:

Find all real users:

grep -E '^UID_MIN|^UID_MAX' /etc/login.defs to find the range for the real users on the machine.

getent passwd {1000..6000} to display only those users.

However, this does not tell us what commands each user has effectively bc I would now have to manually search each one then save that into a file.

Display all users:

awk -F':' '{ print $1}' /etc/passwd
OR
compgen

Display all sudo users:

getent group sudo | cut -d: -f4

grep '^sudo:.*$' /etc/group | cut -d: -f4

Find the user who has sudo access to the less command

cat /etc/sudoers | grep less

Switch to Root

sudo su root

Check for users or groups

grep <user or group name> /etc/passwd or group

Users and Groups

UID over 1000 = standard user

groups or groups <user> prints your user's groups to the screen

id prints the groups + GIDs

sudo usermod -L <user> to lock the account

sudo usermod -G <group-to-remove> <user> to remove from a

sudo deluser --remove-home <user> to remove

--remove-home flag removes the home folder, too

`sudo usermod -aG to add to the

Activity 2

1. Use a command to display your ID info.

2. Use the same command to display the ID info for each user on the system.

– In case you forgot, how can you learn what these usernames are?
– Record the output from this series of commands to a new file in your research folder.

3. Print the groups that you and the other users belong to.

– Record the output from this series of commands to a new file in your research folder.

4. Document in your research folder anything suspicious related to any of the users.

– Hint: Are there any users that shouldn't be there?

5. Make sure you have a copy of the home folder for any rogue users and then remove any users from the system that should not be there. Make sure to remove their home folders as well.

Hint: Remember from the first activity, the only standard users that should be on the system are: admin, adam, billy, sally and max.

1. Verify that all non-admin users are part of the group developers.
   
   • If the developers group doesn't exist, create it and add the users.