Exploiting SUID Permissions in Linux: A Guide to Privilege Escalation
Before we begin, it's important to note that searching for and exploiting SUID privileges without explicit written authorization from the owners of computer systems is illegal and constitutes a crime. Therefore, any information provided here should be used exclusively for educational purposes and not for malicious activities.
SUID privileges are special permissions that can be assigned to a binary file in Unix-based operating systems such as Linux. These permissions allow a user to execute the binary file with the same privileges as the owner of the file, which can allow the execution of commands with elevated privileges that would normally be restricted.
Once access to a system has been obtained, the next step is to search for possible binary files with SUID permissions. To do this, we can use the following command in the terminal:
find / -perm -4000 2>/dev/null
This command will search the entire system for files with SUID permissions and list them on the screen. The "-perm -4000" parameter indicates that files with SUID permissions should be searched for, and "2>/dev/null" redirects any errors to nothing to avoid unnecessary error messages.
Once the files with SUID permissions have been identified, it's important to evaluate each of them to determine if there is a vulnerability that allows for their exploitation. Some of the most common binaries that can be exploited include "find", "python", "vim", and "xargs", as shown in the following examples:
./find . -exec /bin/sh -p ; -quit
This command uses the "find" binary to search the current directory (".") and execute "/bin/sh" with elevated privileges to gain root access. The "-exec" parameter indicates that the "/bin/sh -p" command should be executed on each found file, and "-quit" indicates that the command should terminate after the first successful execution.
./python -c 'import os; os.execl("/bin/sh", "sh", "-p")'
This command uses the "python" binary to execute a line of code that invokes the "os.execl" function to execute "/bin/sh" with elevated privileges. The "-c" parameter indicates that the following argument should be passed as an inline code string.
./vim -c ':py import os; os.execl("/bin/sh", "sh", "-pc", "reset; exec sh -p")'
This command uses the "vim" binary to open the current file and execute the Python code in the ":py" command to invoke the "os.execl" function to execute "/bin/sh" with elevated privileges. The "-c" parameter indicates that the following argument should be passed as an inline command string to be executed by vim.
./xargs -a /dev/null sh -p
The command ./xargs -a /dev/null sh -p leverages the "xargs" binary to execute a shell with elevated privileges using standard input as arguments for the "sh -p" command. The "-a" parameter specifies that input should be read from a file, and "/dev/null" is used here as an empty input file.
It's important to note that these command examples are just a small sample of the techniques that can be used to exploit SUID permissions. There are many other tools and techniques that can be employed to exploit specific vulnerabilities in binaries with SUID permissions.
It's important to emphasize that searching for and exploiting SUID permissions without explicit written authorization from the owners of computer systems is illegal and can have serious legal consequences. It's always important to ensure that you have permission and authorization to carry out any type of penetration testing or security evaluation on a system.
There is no privacy without security
2 年Null byte also mentions a more in-depth version as you mentioned: https://null-byte.wonderhowto.com/how-to/hack-like-pro-finding-potential-suid-sgid-vulnerabilities-linux-unix-systems-0158373/