A hands-on lab for investigating and remediating privilege escalation vulnerabilities in sudo configurations.
In this lab, you’ll investigate a security incident where a regular user has been obtaining root access through a misconfigured sudo rule. You’ll learn how to:
-
Investigate security alerts and understand the threat
-
Identify dangerous sudo configurations
-
Understand how seemingly safe commands can be exploited
-
Test vulnerabilities in a controlled environment
-
Implement proper remediation using least-privilege principles
The Information Security team has detected suspicious activity - a regular user account (devuser) has been obtaining root shell access. Manager Scott recently created a sudo rule to "help" by giving the user access to view log files, but something went wrong. Your job is to investigate, understand the vulnerability, and fix it properly.
-
Recognize privilege escalation vulnerabilities in sudo configurations
-
Understand the full capabilities of common Unix commands
-
Apply least-privilege principles to access control
-
Document security incidents and remediation steps
-
Basic Linux command line knowledge
-
Understanding of user permissions and sudo
-
Familiarity with system logs
Estimated time: 45-60 minutes
-
Content Directory
tree output. ├── README.adoc # Readme file ├── config # Defines VMs, network and firewall ├── runtime-automation # Scripts directory for setup/next/solve modules ├── setup-automation # Scripts directory when provisioning ├── ui-config.yml # Configuration file ├── site.yml # Theme config └── content # Content directory ├── antora.yml # Antora configuration file. You can add "inline vars" here to render within your content └── modules/ROOT ├── assets │ └── images # Images used in your content │ └── example-image.png ├── pages # Your content goes here │ ├── module-01.adoc # First module of your lab, e.g. overview etc │ ├── module-02.adoc # Second module of your lab │ └── module-03.adoc # Third module
-
Lab definition directory
tree outputconfig/ ├── firewall.yaml # Define the egress/ingress rules to be allowed ├── instances.yaml # Define the instances to be created └── networks.yml # Define the networks to be created
-
Runtime Scripts Directory Structure
tree outputruntime-automation/ ├── module_1 # The directory name should be the same as │ # the module content page name │ ├── setup.sh # Setup playbook which run at start of module │ # and when clicked on next button │ ├── solve.sh # Solve playbook, run when clicked on solve button │ └── validation.sh # Validation playbook, run when click on next button ├── ansible.cfg # Ansible configuration used with module playbooks └── main.yml # Playbook to be called in each step
-
Setup Scripts Directory Structure
tree outputsetup-automation/ ├── setup-vmname.sh # Script to be executed on vmname when is provisioned ├── ansible.cfg # Ansible configuration used with module playbooks └── main.yml # Playbook to be called in each step
-
Example: The ui-config.yml configuration file
tree outputantora: name: modules dir: www modules: - name: 01-playbook-inventory # Module Name label: Playbook Inventory # Module Label solveButton: true # Enable Solve button - name: 02-playbook-directory-structure label: Playbook Directory Structure solveButton: true tabs: - name: VSCode Editor # Tab name port: 8443 # Port no of the service path: /?folder=/home/rhel/ansible-files/ # Path suffix - name: ">_control" # Tab name port: 443 # Port of the tt1 terminal path: /tty1 # Path to the tty1 terminal