Lab 09 — Local Privilege-Escalation Defense¶
Hands-on lab · ← Back to the module concept
Setup¶
This is a reference lab — it ships a one-command environment in the companion
plaintext-labs repo:
git clone https://github.com/plaintext-security/plaintext-labs
cd plaintext-labs/endpoint-hardening/09-privesc-defense
make up # build the container with a deliberate SUID misconfiguration
make demo # show find discovering the SUID binary, demonstrate the privesc path
make shell # drop into the container to work
make down # stop when done
Everything runs locally in a container you own. The misconfiguration is deliberate and contained to the lab environment.
Scenario¶
The organization's red team reported that the payroll server has at least one exploitable SUID binary misconfiguration. Before the remediation window, your job is to: verify the finding, understand the exploitation path, apply the remediation, confirm the path is closed, and add the check to the compliance scan so it doesn't regress.
Do¶
-
[ ]
make demo— observe the SUID binary being found withfind / -perm -4000. Note which binary it is. Look it up on GTFOBins — what escalation technique does it enable? -
[ ]
Did you reach root? Document the exact commands and the output.make shell(as the low-privilegedappuser) and attempt the GTFOBins technique: -
[ ] Remediate: remove the SUID bit from the binary:
Re-attempt the GTFOBins technique as# Switch to root (or use sudo): chmod u-s /path/to/binary ls -la /path/to/binary # confirm the 's' bit is goneappuser. Confirm it fails. -
[ ] Add the AppArmor second layer: load the AppArmor profile from
Re-attempt the escalation and observe both the permission denial and the AppArmor log entry.data/suid-apparmor-profileand confirm it is in enforce mode: -
[ ] Audit the full SUID set on the container:
Cross-reference every result against GTFOBins. Document which ones are dangerous, which are expected (e.g.sudoitself), and which you would remove in a production hardening run. -
[ ] Write an osquery query that finds SUID binaries continuously:
Add this query toSELECT path, permissions, uid, gid FROM file WHERE path LIKE '/usr/%' AND permissions LIKE '%s%' AND uid = 0;data/queries.sqlfrom module 05.
Success criteria — you're done when¶
- [ ] You demonstrated the SUID privesc path as
appuser. - [ ] You remediated it (removed SUID bit) and confirmed the path is closed.
- [ ] You added AppArmor as a second layer and observed the denial log.
- [ ] You audited the full SUID set and documented which binaries are dangerous.
- [ ] You have an osquery query that would detect a new SUID binary being added.
Deliverables¶
privesc-audit.md — the full SUID binary audit table (binary, is dangerous per GTFOBins,
action taken: remove/keep/profile). Commit it. Also commit the updated queries.sql with
the SUID detection query.
Automate & own it¶
Required. Write a shell script suid-audit.sh that: runs find / -perm -4000 2>/dev/null,
downloads (or reads from local cache) the GTFOBins binary list, and flags any SUID binary
that matches a GTFOBins entry. Output: "DANGEROUS: /path/to/binary (GTFOBins technique: X)"
or "OK: /path/to/binary". Have an AI draft the comparison logic; you verify it against a known
list before committing.
AI acceleration¶
After finding the SUID binary with find, paste its name into an AI and ask: "What is the
GTFOBins SUID technique for this binary? Walk me through the exact commands." Then verify the
technique against gtfobins.org — the model may have the
technique slightly wrong or may suggest a newer variant. Run the technique in the lab to confirm
it actually works before writing the remediation documentation.
Connects forward¶
The osquery SUID query you wrote here feeds module 10 (detecting host compromise) — a new SUID binary added to a production host is a detection signal. The AppArmor confinement from module 04 and this module work together as the dual-layer defense that the track capstone integrates.
Marketable proof¶
"I identified a SUID privilege-escalation path using GTFOBins, exploited it in a controlled environment to confirm the finding, remediated with permission hardening and AppArmor confinement, and added an osquery detection query to prevent regression."
Stretch¶
- Audit the container's sudo configuration:
cat /etc/sudoersandls /etc/sudoers.d/. Are there anyNOPASSWDrules? What binaries are granted? Cross-reference with GTFOBins sudo techniques. - Use
getcap -r / 2>/dev/nullto enumerate Linux capabilities. Linux capabilities are the "SUID with less blast radius" mechanism — but misconfigured capabilities can also enable privilege escalation. Look upcap_setuidandcap_sys_ptraceon GTFOBins.
Comments
Sign in with GitHub to comment. Choose the type: Feedback (errors or suggestions on this page) · Hints (help for fellow learners — no spoilers) · General (anything else).