Linux Identity Subversion

0x00 - Executive Summary

Targeting the Linux Identity Management layer is the primary objective for privilege escalation and persistence. By manipulating UID mappings and misconfiguring the sudoers policy, an operator can effectively bypass standard security controls, transforming a standard user into a silent administrative entity.

Impact Analysis: Unauthorized administrative access leading to full system compromise and long-term persistence via UID 0 manipulation or sudo group injection.

0x01 - Prerequisites & Tooling

To follow this guide and replicate the lab environment, the following assets are required:

• Access: Low-privilege shell on a target Linux system.
• Binaries: adduser, visudo, journalctl, and su.
• Files: Sensitive identity files including /etc/passwd and /etc/sudoers.

0x02 - The Theory: Why it works

The Linux kernel enforces permissions based on the User Identifier (UID), not the username string. This architectural design allows for "Ghost Admins"—accounts with non-root names but assigned UID 0. Furthermore, high-level wrappers like adduser and sudo simplify management but introduce critical misconfiguration points in the /etc/sudoers policy that remain a top vector for vertical escalation.

Red Team Insight: Identifying secondary accounts with UID 0 is a classic persistence method that often evades basic security audits focusing solely on the root username.

0x03 - Step-by-Step Execution

Phase 1: Enumerating Local Identities

Targeting /etc/passwd to map attack surfaces and identifying users with interactive shells (/bin/bash).

cat /etc/passwd | grep "/bin/bash"

root:x:0:0:root:/root:/bin/bash
desec:x:1001:1001:,,,:/home/desec:/bin/bash

Phase 2: Persistence via Group Injection

Injecting a controlled account into the sudo group to establish a reliable backchannel for administrative execution.

sudo adduser desec sudo

Adding user `desec' to group `sudo' ...
Done.

Phase 3: Context Shifting

Transitioning to the high-privilege context while inheriting the full environment profile.

su - desec

Password: 
kali@ngr3p:~$ id
uid=1001(desec) gid=1001(desec) groups=1001(desec),27(sudo)

Phase 4: Live Log Interception

Real-time monitoring of authentication attempts to detect administrative interference or security alerts.

journalctl -t sudo -f

Feb 09 05:28:07 ngr3p sudo[1337]: desec : TTY=pts/0 ; PWD=/home/desec ; USER=root ; COMMAND=/usr/bin/visudo

0x04 - Offense Informs Defense

To mitigate these vectors, security administrators should implement the following hardening steps:

• Audit UID 0: Regularly scan /etc/passwd for any unauthorized UID 0 accounts beyond the root user.
• Shell Restriction: Disable interactive shells for service accounts by using /usr/sbin/nologin.
• Log Monitoring: Monitor journalctl or /var/log/auth.log for unauthorized su attempts or group modifications.