Introduction
In this article I am going to explain what are SUID binaries how to exploit them for getting root shell i.e prevelege escalation on machine before diving into the privilege escialtion part we have to learn some basics of :
- Linux file ownership
- chown and chmod command
- SUID bit
Linux file Ownership
For understanding linux file ownership we have to think that whole linux system is a office and the users on system are employess at the office as we know, all users have their confidential information of user or head of office which can’t be shared with another person so for preventing merging the files of users and for the sake of proivacy linux file ownership comes to play didn’t understand? don’t worry just bear with me basically, Each file has 3 types of users :
- owner of file
- group members
- other users
owner of file considered as the owner who creates the file while the group members are set of few users who given the same ownership of file and other users referred to anyone on the system except owner and group members
image credit -geek diary
read ——–> 4
write ——–> 2
execute ——-> 1
777 stands for all permissions given to file i.e anyone(user. greoups and others) can read, write and execute the file
chown and chmod
As we can see read, write, and executable are appended to files we can change the user’s permissions we can change the file to make the file executable, readable and writeable
while the chown command is used for changing ownership of file i.e for changing the permission who can access the file and for changing users and group of files on file we can do it just by typing:
chown new user:new group file
Now enough basics, let’s talk about SUID binaries what are those and how we exploit them to gain privilege escalation
SUID and SGID
SUID stands for setuser id while SGID stands for set group id let’s take an example for understanding SUID more deeper. Suppose a user bob is root user and he created a file called root.sh which contains the suid bit set and then there is another user called Alice which is a normal user he saw the file root.sh and run it since the SUID bit is set the file is run on the behalf of admin but that is run by a normal user that’s what SUID bit do with a file If SUID bit is set anyone can run that file on the behalf of the user who creates the file
SUID binary is denoted by s we can set the suid by typing chmod u+s
Exploitation
we can easily exploit the SUID bit in 3 steps first we have to find the files whose SUID bit is set we can do it by typing
find / -user root -perm -4000 -print 2>/dev/null
It will print all files having root user and SUID bit is set (perm 4000) If the SUID is set then go to https://gtfobins.github.io/ and check for exploit suppose setuid is set for nmap
we can easily get root shell by typing nmap –interactive
there are tons of command utilities like find,less,vim,man,etc are exploitable through misconfiguration of SUID binary you can get exploit of all these in gtfobins