In this article, I am going to explain what are SUID binaries how to exploit them for getting root shell i.e privilege escalation on the machine before diving into the privilege escalation part
we have to learn some basics of :
- Linux file ownership
- chown and chmod command
- SUID bit
# Linux file Ownership
For understanding linux file ownership we have to think that whole linux system is an office and the users on the system are employees at the office as we know, all users have their confidential information of the user
or head of office which can’t be shared with another person so for preventing merging the files of users and for the sake of privacy Linux file ownership comes to play didn’t understand? don’t worry just bear with me
basically, Each file has 3 types of users :
- owner of file
- group members
- other users
owner of file considered as the owner who create the file while, the group members are set of few users who given the same ownership of file and other users reffered to anyone on system except owner and group members
https://i.ibb.co/s3jNr5G/Files-permissions-and-ownership-basics-in-Linux.png
image credit -geek diary
read — — — → 4
write — — — → 2
execute — — — -> 1
777 stands for all permissions given to file i.e anyone(user. groups and others) can read, write and execute the file
# chown and chmod
As we can see read, write and executable are appended to files we can change the users permissions we can change the file to make the file executable, readable and writeable
while the chown command is used for changing ownership of file i.e for changing the permission who can access the file and for changing users and group of file on file we can do it just by typing:
**chown new user:new group file**
Now enough basics, let’s talk about SUID binaries what are those and how we exploit them to gain privilege escalation
# SUID and SGID
SUID stands for setuser id while SGID stands for set group id let’s take an example for understanding SUID more deeper. Suppose a user bob is root user and he created a file called root.sh which contains the suid
bit set and then there is another user called Alice which is normal user he saw the file root.sh and run it since the SUID bit is set the file is run on the behalf of admin but that is run by a normal user that’s what
SUID bit do with a file If SUID bit is set anyone can run that file on the behalf of user who creates the file
SUID binary is denoted by s we can set the suid by typing **chmod u+s**
# Exploitation
we can easily exploit the SUID bit in 3 steps first we have to find the files whose SUID bit is set we can do it by typing
find / -user root -perm -4000 -print 2>/dev/null
It will print all files having root user and SUID bit is set (perm 4000) If the SUID is set then go to https://gtfobins.github.io/ and check for exploit supppose setuid is set for nmap
we can easily get root shell by typing **nmap — interactive**
there are tons of command utility like **find,less,vim,man,etc** are exploitable through misconfiguration of SUID binary you can get exploit of all these in gtfobins
