SUID Shenanigans

Linux Privilege Escalation

Privilege Escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

What is SUID

Set owner UserID up on execution is a special type of file permission given to a file. When a user runs a program, given they have the correct reading/executing rights, it will run using their account privileges. SUID allows a user to run a program using another users privileges.

In some cases, we can take advantage of having a file run as another user, to execute commands as them. If a binary has the SUID bit set, it will have an s appear. If we check the file permissions of the passwd binary, we can see the permissions are -rwsr-xr-x.

The SUID bit is set on the execute permission, meaning when a user runs this, it will run as the file owner (which is root).

In essence, SUID files execute with the permission of the file owner.

Taking advantage of SUID files

Some administrators will set the SUID bit manually to allow certain programs to be run as them. Lets say you're a system administrator and a non-privileged user wants to program that requires it to be run with higher privileges. They can set the SUID bit, then the non-privileged user can execute the program without having any extra account permissions set.

We can scan the whole file system to find all files with the SUID bit set, with the following code:

find / -user root -perm -4000 -exec ls -ldb {} \;

The find command has a parameter where it can execute commands. So when it finds a file, it will list its permissions. If a sysadmin has manually set an SUID bit on a binary, the code above will find it.

GTFOBins is a curated list of Unix binaries that can be exploited by an attacker to bypass local security restrictions. When we find the SUID binaries we can search on this list to see how to exploit them.

First step is to ssh into the machine on port 65534

Once in we can see that holly doesnt have to read the flag1.txt file

Searching the system for files with the SUID bit set, we can see that we can run find as other user.

By running the find command we can execute other commands, like cat which can help us read the flag1.txt

find /home/igor -name flag1.txt -exec cat flag1.txt {} \;

After searching for all the files owned by root with the SUID bit set, and going through all of them in GTFOBins website, I couldn't find a way to get root. The binary system-control caught my attention and somehow I thought it was related to systemctl. In the end, all I that was a stupid assumption, because the only thing I needed to to was to run the binary.

Stop complicating things. If in doubt just run the damn binary instead of going around in circles.