-1

I recently discovered the CACLS command, that allows someone to edit the ACL of a file. I saw it in a CTF write-up (hacking challenge) to get the root flag supposedly restricted to the Administrator:

CACLS filepath_to_root.txt /G User:R

This command seems overkill and security mechanisms probably exist to prevent any user to use that command to edit directories/files permissions. What are they? And how can I detect if the vulnerability is present? Without the write-up I would never have thought about that.

(E.g. in Linux, the being in the sudo group would allow me to have full power. I can check that with the groups command.)

Dimitry
  • 9
  • 1

2 Answers2

2

/G User:R is not a "root flag" (doesn't mean anything on Windows) but the Read access…

a user can't change the permissions of files if he is not allowed to do that (i.e if the user is not the owner of the file, or if he doesn't have any rights to do so).

Swisstone
  • 6,725
  • 7
  • 22
  • 32
  • 1
    Indeed. This is one of those "oh no, an admin can use their admin access" situations. – Rob Moir Apr 12 '18 at 20:32
  • Additionally in NTFS all of these changes can be logged and can't be erased without wiping the whole log. – Jim B Apr 12 '18 at 20:41
  • Thank you for your answer. We may have not understood each other though: in the Capture The Flag (CTF) lingo, the *root flag* is a restricted text file in the administrator's desktop. One of the purpose of these challenges is to retrieve that flag. (i.e. by escalating our privileges using exploits or misconfiguration.) – Dimitry Apr 13 '18 at 07:43
  • Here, I understood that `/R` meant *read* access :-). My question focuses on your last point, regarding *having the right to do so*. How could I tell that I had the right to *do so* in my use case? How can I diagnostic that, as an average user (supposedly), I have the right to alter administrator files using the `CACLS` (or `ICACLS`) command? As an example, under Linux, I could have checked if I was in the `sudo` group. – Dimitry Apr 13 '18 at 07:44
  • You can see the ACL of a folder (for example), by right clicking on the folder -> Properties -> Security and then you can add/remove your users/groups with this tool. If you click the "Advanced" button, you can use the "Effective access" tab to check with one particuliar user/group if the access would be allowed or not. More info about permissions: [Managing Permissions](https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770962(v=ws.11)) – Swisstone Apr 13 '18 at 12:41
1

There are various other methods to manipulate ACLs as well - preferrably icacls, Powershell or Windows Explorer.

The key to not let a user manipulate ACLs is to not grant them full privileges but only modify. In detail, the change privileges privilege is what you don't want. Additionally, make sure the creator/owner doesn't have full privileges either unless your users actually now how to work with ACLs and are supposed to change them.

Zac67
  • 10,320
  • 2
  • 12
  • 32
  • Thank you for your answer. Could you had more details on your second paragraph, regarding *not granting them full privileges...*? – Dimitry Apr 13 '18 at 07:47
  • You don't grant users *F* privileges but only *C* (`cacls`) or *M* (`icacls`) privileges. – Zac67 Apr 13 '18 at 08:39
  • How can I check one's privilege? At least mine's? – Dimitry Apr 13 '18 at 10:59
  • An ACL is a property of a file or folder, not a user's. You can check user/group privileges for a file by running `icacls filename`. – Zac67 Apr 13 '18 at 11:02