Linux ‐ Permission Vulnerabilities - Snowboundport37/champlain GitHub Wiki

🔒 Linux Permission Vulnerabilities - Technical Journal

Author: Andrei Gorlitsky
Course: SEC-335
Date: April 2025

✅ Deliverable 1: Compile and Execute effective_user

Code Used:

#include <stdio.h>
#include <unistd.h>
#include <pwd.h>

int main(void) {
    uid_t uid = geteuid();
    struct passwd *pw = getpwuid(uid);
    if (pw)
        printf("Effective user: %s\n", pw->pw_name);
    else
        printf("User not found\n");
    return 0;
}

Commands Used:

gcc effective_user.c -o effective_user
./effective_user
sudo ./effective_user

✅ Deliverable 2: Octal Permissions

Commands Used:

ls -l effective_user
stat effective_user

I confirmed the octal permissions of the file to be 755 (rwxr-xr-x).

✅ Deliverable 3: Change Ownership and Set SUID Bit

Commands Used:

sudo chown root:root effective_user
sudo chmod u+s effective_user
ls -l effective_user
./effective_user

The permission changed to -rwsr-xr-x, confirming the SUID bit is set.

✅ Deliverable 4: Search for SUID Programs on Kali

Command Used:

find / -type f -perm -4000 2>/dev/null

This listed SUID binaries like /usr/bin/passwd, /usr/bin/sudo, and our own effective_user.

✅ Deliverable 5: Hidden SUID Program on Rocky (10.0.17.200)

SSH Access:

ssh [email protected]

Command Used:

find / -type f -perm -4000 -name 'b*' 2>/dev/null

Output:

/usr/bin/booger

✅ Deliverable 6: Create and Find a World-Writable File (No sudo)

Since I did not have sudo privileges on Rocky, I created the file in /tmp:

Commands Used:

touch /tmp/worldwrite.txt
chmod 777 /tmp/worldwrite.txt
find /tmp -type f -perm -o=w 2>/dev/null

Output:

/tmp/worldwrite.txt

✅ Deliverable 7: Hidden World-Writable File on Rocky

Command Used:

find / -path /proc -prune -o -path /sys -prune -o -type f -perm -o=w -name 's*' -print 2>/dev/null

Output:

/usr/share/games/solitaire

✅ Deliverable 8: Documentation Summary

SUID Hunting Techniques:

  • Use find / -type f -perm -4000 to locate all SUID binaries
  • Use -name 'b*' to find specific targets
  • Use grep to filter results:
find / -type f -perm -4000 2>/dev/null | grep -i '/b'

World-Writable Hunting Techniques:

  • Use find / -type f -perm -o=w to locate globally writable files
  • Exclude /proc and /sys to avoid noise:
find / -path /proc -prune -o -path /sys -prune -o -type f -perm -o=w -print 2>/dev/null
  • To search for specific filenames:
find / -path /proc -prune -o -path /sys -prune -o -type f -perm -o=w -name 's*' -print 2>/dev/null

These techniques are useful for identifying privilege escalation vectors and misconfigurations on Linux systems.

Champlain College - Andrei Gorlitsky's Academic Wiki

Welcome to my GitHub Wiki! This is where I document my entire Champlain College experience, including assignments, notes, and everything I've learned across all courses until I graduate.

This wiki serves as a central hub for my academic journey, showcasing my growth and knowledge in cybersecurity and beyond.

For more information about Champlain College, visit:
Champlain College

© Andrei Gorlitsky 2025 - Champlain College

⚠️ **GitHub.com Fallback** ⚠️