Here in this article, we will introduce a line-oriented text editor command i.e. “ed” that generates, displays, alters, and operates on text files. All ed commands operate on whole lines or ranges of lines; e.g., the “d” command deletes lines; the “m” command moves lines, “t” command copy the lines and so on, therefore, now we will check that how we can successfully execute our task of Privilege Escalation by accomplishing all these significant of “ed” command.

Table of Content

Overview to ed                               

• Summary to ed
• Primary Action attained using ed

Abusing ed

• SUDO Lab setups for privilege Escalation
• Exploiting SUDO

Summary to ed

ed command in Linux is used for initiation of the “ed text editor,” which is a line-based text editor. Its minimal interface makes it less complex for working on text files. It helps user to perform many operations like creating, editing, displaying and manipulating the files.

Editing occurs in two distinct modes: “command and input.” In the “command” mode, “ed” reads commands from the standard input and executes them to manipulate the contents of the editor buffer, whereas when a user gives an input command, such as ‘m’ (move), ‘d’ (delete), ‘t’ (copy), or ‘c’ (change), “ed” enters its “input mode”.

The text editors Vi and Emacs replaced the oldest editor, which was developed in 1969 for UNIX.

Now type its help command to know more about “ed”.

ed --help

Fundamental activities achieved by “ed”:

As we know “ed” does many operations so now we will go through its entire functionality one by one.

Initializing file with ed:

At the initial phase, running the command will make the terminal space appear as shown in the image below . By default, the editor creates an empty buffer to write, similar to the way any other command-line based editor works when you invoke it without a file name.

ed

Now we will start to create a text file that contains some text within it. For doing so, very first we will press ‘a’ before entering anything to the file and once we accomplished our task of writing we will enter a period (.) to signify this to the editor.

Note: The main thing that needs to remember is to use ‘a’ (initial) and ‘.’ (Final) as the ways to enter and exit the insert mode. Now, to save the buffer in a file, use ‘w’ followed by a file name of own choice which helps to save the file by the desired name as well as will also display the total no. of bytes that a file contains, and then ‘q’ to quit the editor.

ed
a
.
w info.txt
q
cat info.txt

To confirm whether you created the file or not, you can recheck it by using the “cat” command.

Edit the file with ed:

Now, in case you need to edit the same file again, you can simply pass the name of the file as an argument to the ed command and then follow the same procedure as discussed above.

Here in the image below, I’m adding one more line to my file “info.txt” which I have created above by following the same process.

ed info.txt

Note Every time we need to use ‘a’, ‘.’, ‘w’, ‘q’ commands whenever we use any option of ed command.

Change any specific line:

Till now we have learnt basic editing using ed, now let’s move ahead to discuss more editing aspects by using ed. For example, if we want to make changes in a specific line then how we can attain that operation using ed.

In the image below, it shows how we can print any particular line using arguments ‘p’ and ‘n’

When we type ‘p’ it gives us the current line at which the control is currently, while on using ‘n’ it gives us the line number as well.

ed info.txt
p

So after typing ‘n’ we simply need to mention that line no. for which we want alteration. By default ‘n’ displays the last line of the file so after that you can type the line no. as per your search.

n
2
5

Once you achieved the line where you want to make a change, then you can enter ‘c’ to change that line by typing the text again. For example, I have changed the 5th line which is the last line of my file, by adding some more detail to it. To recheck my modification I have read my file by using ‘cat’ command and will save the file by following the same process.

c
cat info.txt

Display error message by using ed:

When you type something that ed can’t understand, it displays a question mark (?) by default. To know more about where you have mistaken ed provides a very helpful option i.e. ‘h’.

ed info.txt
b
h

As shown in the screenshot below, I clearly understood that when I used the ‘b’ option, it gave me (?), which is the symbol of error, and while typing ‘h’, it displayed the error message as an unknown command for option ‘b’.

Copy and move operation by ed:

Apart from all the above discussed functions ed also gives the option for copy and paste a line at some other location, in this case, we use ’t’ command to copy the line and ‘m’ to move any line. You need to precede’t’ with the line number to which you want to copy and append the destination line number. For example, as in the below image, I have copied the 5th line to position 0 and will save changes.

ed info.txt
5t0
cat info.txt

In the above-mentioned command, 5 represents the line that needs to be copied, and 0 represents the line no. for where it needs to be copied.

Note: One can also use’ instead of ‘t’ if he/she wants to move the line to another place.

Search operation using ed:

Searching for any line by its keyword can be easily done by ed.  For doing so first we will use “-p%” followed by ed which will prompt you further for your search mission. After that to search forward, enter/followed by the search keyword. The moment at which you press enter, the editor will display the first line (containing the keyword) it encounters. You can run that command again to continue searching.

ed -p% info.txt
%/misconfiguration
%/Linux

Here in the image below ed has printed only those lines as output that consist of search keywords, i.e., misconfiguration and Linux.

Exploiting ed

Sudo Rights Lab setups for Privilege Escalation

Now we will start to perform privilege escalation for “ed”. For doing so we need to set up our lab of ed command with administrative rights. After that, we will check for the “ed command” that what effect it has after getting sudo rights and how we can use it more for privilege escalation.

It can be clearly understood by the below image in which I have created a local user (test) who own all sudo rights as root.

To add sudo right open /sudoers file and type following as user Privilege specification.

test All=(root) NOPASSWD: /bin/ed

Exploiting Sudo rights

Now we will start exploiting ed service by taking the privilege of sudoer’s permission. For this, we need sessions of the victim’s machine that will assist us to have local user access of the targeted system through which we can escalate the root user rights.

Very first we will connect to the target machine with ssh, therefore, type following command to get access through local user login.

ssh test@192.168.1.31

Then we look for sudo right of “test” user (if given) and found that user “test” can execute the ed command as “root” without a password.

sudo -l

Now, after knowing the fact that the test user attains sudo rights so, taking this benefit here we can use ed command to access empty buffer to call bash/sh shell, with higher privileges if permitted on sudo.

Conclusion: Hence, we have efficaciously exploited “ed” by attaining its functionality after granting higher privilege.  

To Learn more about Privilege Escalation. Follow this Link.

Author: Komal Singh is a Cyber Security Researcher and Technical Content Writer. She is a completely enthusiastic pentester and Security Analyst at Ignite Technologies. Contact Here