Path Variable Manipulation
What is SUID, SGID, and Sticky bits?
Search system for types of files with SUID bits
Verify file has SUID bit
Example of exploit
We find a script that has SUID bit, which runs curl upon call. Create a binary called curl that gives you a bash shell, then modify the user's PATH to use your created curl which running the script will give you a root bash shell.
What are typical SUID files? (not cp)
Research against https://gtfobins.github.io/ to find a vulnerable service. You could also use LinEnum or LinPeas to automate Piv Esc.
Common SUID to Priv Esc:
Last updated