Lab 10.1 Linux Permission Vulnerabilities - JimKnee-Champ/Ethical-Hacking-Journal GitHub Wiki

((4)owner - group - all users)

sudo chown root:root effective_user.c (Changes ownership to root user and root group)

sudo chmod u+s effective_user.c (changes permissions, specifcally to give the user ownership of the file when they run it)

gcc effective_user.c -o effective_user (Compiles the .c file, outputs the "effective_user" file which is an executable.

Effective_user lists the owner of the file, which is whichever permission set is used to run it (the user account or root if sudo is used)

When a files ownership/permissions begins with a "4" it means that the program always uses the Owner's permissions. This allows other users to run commands with permissions that are in excess of their own.

run chown and chmod again on the new effective_user file. This will change the owner and group to root, and add the SE linux permission thing.

find / -perm /4000 2>/dev/null (finds all files on the system with SUID privileges, ones with 4 in the front/inherited ownership permissions)

find /etc -perm -o=w -type f 2>/dev/null (This command searches for files (-type f) that have other users with write permissions (-o=w) in the /etc directory, and pipes all errors to /dev/null)

Using this command with just "/" on the rocky system reveals far too many files to be useful. the input has to be pruned somewhat.

find / -not -path "/proc/*" -maxdepth 4 -type f -perm -o+w 2>/dev/null (this program reveals all the files with write permissions for all users not in the /proc/ directory and not going deeper than the contents of third tier subdirectories (/a/b/c/d.file))