0-days And Humility
September 5, 2019
So imagine you’re me.Stop crying Now imagine you’ve accidentally removed yourself from the sudo groupDocker’s fault .
“No problem”, you might reasonably think, I’ll just reboot into a root shell and fix that”.
Not so fast, hotshot. Your fancy Surface Go has EFI, which means the GRUB menu doesn’t show, and this machine has a bug that doesn’t initialise the keyboard until after Ubuntu starts booting. This means pressing escape or holding shift, doesn’t bring up the GRUB menu to boot into single-user mode.
“OK, can we boot the drive in another machine?”
Great question: It’s superglued on to the motherboard. This is, effectively, a tablet.
“FSCK IT I’ll REINSTALL LINUX”, you might reasonably exclaim.
I’ve got news for you, it’s stopped booting from USB for unknown, spooky, EFI reasons.
No reinstall, no single-user mode, no sudo
I despaired for a month before realising I now work in the Cybersecurity department of the Government Digital Service. So, the next day, I talked to one of our ethical hackers, and after 30 minutes of searching, we used a 0-dayhttps://www.exploit-db.com/exploits/47163 to get me root. Which, after a quick bit of C++ compiling, was SO EASY:
After that, it was a simple matter to restore my membership in the
sudo group and get back up and running with my little Linux tablet.
The whole matter has opened my eyes to just how trivial privilege escalation can be, even with a very modern, patched system.