Introduction

In this article I am going to explain what are SUID binaries how to exploit them for getting root shell i.e prevelege escalation on machine before diving into the privilege escialtion part we have to learn some basics of :

  • Linux file ownership
  • chown and chmod command
  • SUID bit

Linux file Ownership

For understanding linux file ownership we have to think that whole linux system is a office and the users on system are employess at the office as we know, all users have their confidential information of user or head of office which can’t be shared with another person so for preventing merging the files of users and for the sake of proivacy linux file ownership comes to play didn’t understand? don’t worry just bear with me basically, Each file has 3 types of users :

  • owner of file
  • group members
  • other users

owner of file considered as the owner who creates the file while the group members are set of few users who given the same ownership of file and other users referred to anyone on the system except owner and group members

alt text

image credit -geek diary

read ——–> 4

write ——–> 2

execute ——-> 1

777 stands for all permissions given to file i.e anyone(user. greoups and others) can read, write and execute the file

chown and chmod

As we can see read, write, and executable are appended to files we can change the user’s permissions we can change the file to make the file executable, readable and writeable

while the chown command is used for changing ownership of file i.e for changing the permission who can access the file and for changing users and group of files on file we can do it just by typing:

chown new user:new group file

Now enough basics, let’s talk about SUID binaries what are those and how we exploit them to gain privilege escalation

SUID and SGID

SUID stands for setuser id while SGID stands for set group id let’s take an example for understanding SUID more deeper. Suppose a user bob is root user and he created a file called root.sh which contains the suid bit set and then there is another user called Alice which is a normal user he saw the file root.sh and run it since the SUID bit is set the file is run on the behalf of admin but that is run by a normal user that’s what SUID bit do with a file If SUID bit is set anyone can run that file on the behalf of the user who creates the file

SUID binary is denoted by s we can set the suid by typing chmod u+s

Exploitation

we can easily exploit the SUID bit in 3 steps first we have to find the files whose SUID bit is set we can do it by typing

find / -user root -perm -4000 -print 2>/dev/null

It will print all files having root user and SUID bit is set (perm 4000) If the SUID is set then go to https://gtfobins.github.io/ and check for exploit suppose setuid is set for nmap

we can easily get root shell by typing nmap –interactive

there are tons of command utilities like find,less,vim,man,etc are exploitable through misconfiguration of SUID binary you can get exploit of all these in gtfobins