escalatedquickly

A while ago, someone on a Discord server that I spend way too much time on asked a question. They were trying to brute force the three-letter sudo password of a lab user through a pipe wrapped in some python code, something to the effect of:

import os

alphabet= [chr(x) for x in range(0x41,0x5A)] # Uppercase
alphabet+=[chr(x) for x in range(0x61,0x7A)] # Lowercase
alphabet+=[chr(x) for x in range(0x21,0x40)] # Numbers and upper case

for a in alphabet:
    for b in alphabet:
        for c in alphabet:
            os.system('echo "%c%c%c" | sudo -k -S' % (a,b,c))

The code generates all three-letter combinations of upper and lowercase letters, as well as numbers and special characters in ASCII, and runs echo “<CANDIDATE>” | sudo -k -S in the system shell.¹

The person asking was wondering why this didn’t give them a shell when the right password was given, and at first it seemed like a pretty obvious question: just add -i to the sudo command, so that it spawns an interactive shell. It is not quite that simple though, and I thought the solution was pretty neat.

When looking into privilege escalation in Linux, there are a couple of common methods that pop up, such as finding out which commands the unprivileged user can run with sudo, kernel exploits, and the one I want to talk about today - programs with the SUID bit set. The reason I want to talk about this kind of exploit is that I think a lot of tutorials on how these exploits work glance over a crucial piece of the puzzle. So, let’s dive right in!

Today I submitted my first scientific paper for review. I’ve now been a PhD student for about nine months, six of which I’ve spent on this project in particular. It’s been quite a long road with a lot of bumps and a lot of set backs, but I’ve learned a lot from it, and I suppose that’s what doing a PhD is all about. It doesn’t hurt that I’m very happy with how my paper turned out as well. Now I just have to hope that the reviewers are as happy with it as I am.

Anyway, what I wanted to talk about today is what I learned about doing science from writing this paper.

Recently in my research I had to deal with the IPv6 extension headers. In particular I had to deal with the Hop-By-Hop header. Unfortunately, the process of actually setting the option and getting it on the wire is not trivial, and the documentation is so-so. Because of this I thought I’d give explaining the process a go. But firstly, let’s discuss the header itself.