Privilege Escalation using SUID binaries

In this article we will learn about privilege escalation in Linux by using SUID permission.This is very useful in CTF challenge because with the help of SUID permission we can also get the root shell.


Table of Content :

  1. Introduction

  2. How to find SUID files

  3. Escalation using SUID

Introduction

There are different types of permission for a file and a directory in Linux to allow and restrict operations like read/write/execute and they have some assigned bit as :

  • Read ->   4

  • Write ->   2

  • Execute -> 1

So when we type chmod 777 it means that we are allowing all operations on that file because (4+2+1=7) but why 3 times means why “7” is present 3 times in the command.So first 7 is for “user” , second 7 is for “group” and last 7 is for “others” in Linux OS.

For ex if we use chmod 744 then it means that “user” can perform all the operation(rwx) and “group” can perform only read operation and same for the “others”

SUID(Set User ID) is a type of permission that allows attacker to execute a file with the permission of specified user.file with SUID permission have higher privilege so they can be used to get higher privileges or sometimes root privileges also.


How to find SUID files


In order to find SUID files we execute the command :

find / -perm -u=s -type f 2>/dev/null

  1. / means start from the root directory

  2. -perm means search for the permissions

  3. -u=s means search for those files that are owned by root

  4. -type means type of file we are searching for

  5. f means a regular file

  6. 2 denotes the standard error(stderr)

  7. > used for redirection

  8. /dev/null is a special filesystem object that throws away everything written into it.

Escalation using SUID

Suppose we have access to non-root user, now we execute the above command

And we can see there are so many SUID files and we are interested in “find” binary. Now we will use this for privilege escalation.”find” has SUID permission it means we can execute any command with the help of “find” but before that we need to create a file as shown in the image

Commands used :

  • touch HacLabs

  • find HacLabs -exec “pwd” \; //which gives us the current directory that is “/tmp”

  • find HacLabs -exec “ls”

This means that we can execute more command such as netcat, /bin/sh , bash etc.

So in the next step we executed the command find HacLabs -exec "/bin/sh" \;  , and we get the root shell . We check it by running the command whoami as shown in the image

So in this article we learned about privilege escalation using “find”. In other articles we will learn about some more SUID binaries for privilege escalation.


Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.